Hospitals and the technology used inside them are increasingly vulnerable to hackers. But to prevent the harmful data breaches and keep patients safe, federal regulators are welcoming some hacks.
Medical device vulnerabilities
Eight years ago, Marie Moe woke up on the floor. The Norwegian cybersecurity researcher had suddenly passed out.
"It turns out it was my heart taking a break," Moe said.
Moe's heart wasn't getting the right amount of oxygen. She needed a pacemaker. And quickly after it was implanted into her body, her cybersecurity senses kicked in.
"Can my heart be connected to the Internet? I want to know how is this implemented? Is it secure?" she said.
Moe found out her pacemaker was connected to the internet. So, Moe asked her graduate students to investigate.
She said it was surprising how easy it was to buy a number of used pacemakers online and take them apart. Moe also bought a pacemaker programmer for just $500 off eBay.
"The same programmer that is used in hospitals to change the settings of my pacemaker," Moe said.
That meant a programmer could change pacemaker settings, and those settings determine whether her heartbeats at the right rate. A hacker with the right skills could get in.
The problem isn’t really that individual medical devices can be hacked, it's that entire medical systems are at risk. In 2017, 16 hospitals in the United Kingdom temporarily stopped their work because of a ransomware attack. A hacker froze hospital computer systems and demanded bitcoin payment to stop the attack.
Moe said cyber threats in hospitals and technologies used inside them can still seem theoretical. Medical industry data shows hospitals spend around 5% of their IT budgets on cybersecurity. That’s why Moe is just of many cyber experts trying to raise awareness.
Public awareness campaigns
A patient has rolled into a UC San Diego campus emergency room. His heart has stopped. And Dr. Rahul Nene is instructing his colleagues to administer a shock.
"Charge is ready, clear, clear go ahead and shock him," Nene said.
It seems like the situation has gone awry. But, this patient is fine, because he's actually a talking dummy. Nene is a real doctor, but right now he’s just acting.
This isn’t an emergency room. It’s a simulation center at UC San Diego’s Simulation Training Center. And these doctors and actors are participating in a simulated ransomware attack. A patient’s health hangs in the balance. And hundreds of people downstairs are watching in an auditorium.
"We imagined what would happen if you were in a hospital and you needed to take care of someone who had a heart attack or a stroke but you couldn’t access the very technologies you rely on on a regular basis," Dr. Jeff Tully said.
This scene is part of the CyberMed mid-November conference. Tully, who’s both a doctor and a hacker, is one of the organizers. He wants to show the real impacts of a potential cyber event to medical and government leaders.
"This is something we found is very visceral and lets people who were previously removed from the bedside understand this can have implications in the real world," Tully said. "We’re looking to create a responsible sense of urgency."
Federal regulators paying attention
This willingness among cyber experts like Moe and Tully to collaborate is something the Federal Drug Administration has noticed.
"FDA really believes in bringing community together, collaboration has really been a cornerstone of our efforts," said Suzanne Schwartz, director of the FDA’s Office of Strategic Partnerships & Technology Innovation.
The FDA is responsible for clearing and approving consumer medical devices. Over the last five years, it has partnered up with hackers and cybersecurity researchers. Earlier this year, the FDA organized a so-called WeHeartHackers challenge where Schwartz said manufacturers volunteered more than 40 devices to be hacked.
"It created a sense of safe space for the manufacturers who otherwise might be reluctant to participate in this and the researchers with a government presence as well," she said.
At the 2019 Def Con hacking conference in August, hackers attacked real medical devices at a pretend hospital. Schwartz said manufacturers essentially got a free consultation on their device vulnerabilities.
"Plenty of hospital representatives, patients as well ... really got a lot out of seeing the interactions within this device hacking lab," Schwartz said.
The FDA also shared lessons learned with the Department of Homeland Security. Schwartz said ensuring patient safety requires collaboration not just among regulators, but also with experts, such as Moe and Tully, who can show where vulnerabilities may lie.
