Nurses Must Be Wary of Cybercrimes Aimed at Medical Technology
Posted: November 17, 2015 by Colin Seymour in Nursing Newsroom
Computer monitoring of patients from afar and even maintaining their treatments via devices operated from afar has enabled many nurses to specialize in computer expertise. There are even informaticists at many hospitals and other institutions who integrate computer technology into their fellow nurses’ overall job functions.
Now it appears nurses ought to become a vital part of the vigilance needed to counter cyberattacks against medical devices and other technology. More than 10 million Americans rely on devices like pacemakers and insulin pumps. Even if nurses aren’t directly detecting and countering the attacks, they will need to know the many ways they will be affected by the dangers, as well as what can be done about them.
Recent news developments have brought a dramatic uptick in attention to those dangers.
- In 2014, the FBI issued an official alert to the health care industry about its vulnerability to sabotage. “The health care industry is not as resilient to cyberintrusions compared to the financial and retail sectors,” Reuters quoted an FBI private notice as stating. “Therefore the possibility of increased cyberintrusions is likely.”
- In June 2015, a report by the cybersecurity company TrapX offered proof that cyberattacks on medical devices are already taking place. TrapX said a medical device hijack, or “medjack,” involving malware had been used to compromise at least three hospital systems in a manner that cybercriminals could exploit. One involved malware in surgical blood gas analyzers. Another could have affected the hospital’s X-ray system.
- And in August 2015, the U.S. Food and Drug Administration advised hospitals not to use Hospira Inc.’s Symbiq infusion system, a pump that delivers medications directly into patients’ bloodstreams, because of a security breach that could have enabled remote control of the system by cyberattackers.
Why nurses should be alert for cyberattacks
Although no actual such attacks have been documented, according to the FDA and Department of Homeland Security, there is reason to fear them.
“Someone will find a reason to change a counter on an insulin pump or take over a defibrillator just because they can,” said Consumer Watchdog President Jamie Court, according to a broadcast segment on KQED, a PBS station in San Francisco.
The infusion pumps are among the numerous devices that hackers might target, such as pacemakers, CT scanners, MRI machines, even automated pharmacy systems, as well as medical records.
“Hospitals and their staff are very accustomed to preventing the spread of biological infections, and they must now apply similar levels of prevention to preventing the spread of cyberinfections.” – Adam Winn
The incentives? “Health care data presents an attractive target for organized crime,” TrapX executive Carl Wright told KQED, noting that medical information often commands 10 times as much money as a credit card number on the black market.
The reasoning is that health data tends to abet access to bank accounts or prescriptions for controlled substances.
Measures to counter these attacks have been employed for years, but not well enough, experts say.
“They’re not open to security teams to scan or to use typical security products on,” said TrapX executive Greg Enriquez, according to Kelly Jackson Higgins of Information Week. “Often these devices are behind secondary firewalls managed by the manufacturer of the device, and the security team doesn’t have access.”
The prevalence of common Windows operating systems on medical devices makes them easy for hackers to compromise, said Billy Rios, a researcher and white hat hacker who often researches for Homeland Security and is the founder of Laconicly LLC.
In the case of the blood gas analyzers, they were infected with malware within the hospital despite a firewall, heuristics-based intrusion detection, endpoint security and antivirus tools, as well as an experienced security team. The hospital had been unaware of the infections. TrapX found connections to “somewhere in the European Community.”
In a second case, a picture archive related to sharing images of MRIs, ultrasounds and CAT scans with outside physicians had been breached by hackers in China who had set up exfiltration with an SSL-encrypted port 443 “suggesting a possible cyberespionage attack.”
So what can be done, and what do nurses need to know?
TrapX said hospital contracts for medical equipment should provide stipulations regarding malware infections. “They must include very specific language about the detection, remediation and refurbishment of the medical devices sold to the hospitals which are infected by the malware,” TrapX executive and co-founder Mosh Ben Simon said in the TrapX report. “They must have a documented test process to determine if they are infected, and a documented standard process to remediate and rebuild them when malware and cyberattackers are using the devices.”
The FDA also has issued guidelines, subject to late-2015 updates, which tended to reflect the TrapX guidelines.
“Manufacturers should address cybersecurity during the design and development of the medical device, the FDA began with its recommendation of a cybersecurity framework designed to:
Identify: Which devices are vulnerable?
Protect: Limit access and layer access, strengthen passwords and physical locks on devices, and ensure trusted content, open and close programs more completely.
Detect: Implement features that cause security compromises to be identified and reported.
Respond: Develop a protocol of actions to be taken when a security breach is detected.
Recover: Find ways to make the user’s work can be restored.
Consumer Watchdog’s Court told KQED the FDA needs to insist on laws, not just recommendations.
“Without legally binding rules, medical device security is left in the hands of hospitals and device makers,” Court said. “And they are required to report device malfunctions only if patients are injured or they die.”
Nearly all of the suggestions call for greater empowerment of the medical staffs actually running medical devices.
As blogger Adam Winn, who says health care needs the wide-reaching security systems of major utilities, puts it:
“Hospitals and their staff are very accustomed to preventing the spread of biological infections, and they must now apply similar levels of prevention to preventing the spread of cyberinfections. Defending against cyberinfections, by comparison, is much easier. The medical industry isn’t alone in fighting this threat. They don’t have to invent new techniques for preventing infection. They simply need to adapt the proven strategies employed by other industries.”
Nurses, by knowing what to look for, will be expected to improve the odds of success.Learn More: Click to view related resources.
- Kelly Jackson Higgins, "Hospital Medical Devices Used as Weapons in Cyberattacks," Information Week
- Lindsey Hoshaw, "Millions of Americans Use Devices that May Be Vulnerable to Hacking," KQED Science
- Jim Finkle, "Exclusive: FBI warns healthcare sector vulnerable to cyber attacks," Reuters
Back to: Nursing Newsroom