Hackers Welcome: Why Federal Regulators Are Welcoming Simulated Hacks In Hospital Settings
KPBS Midday Edition Segments / November 26, 2019
Hospitals are increasingly vulnerable to cyber attacks. But some people are stepping up to spread awareness of the risks.
Speaker 1: 00:00 Hospitals and the technology inside them are increasingly vulnerable to hackers. Hey PBS science and technology reporter Charlene Chubb Loni says federal regulators are welcoming some hacks to learn how to keep patients safe.
Speaker 2: 00:15 Eight years ago Mary Moe woke up on the floor. The Norwegian cybersecurity researcher had suddenly passed out. It turned out that it was my heart that taking a break most heart wasn't getting enough oxygen so she needed a pacemaker to keep her heart going at the right rate. Very quickly her cybersecurity senses kicked in.
Speaker 3: 00:34 Can my heart be connected to the Internet. And. I want to know. How this is implemented.
Speaker 2: 00:42 Is it secure. Turns out her pacemaker was connected to the Internet. So Mo asked her graduate students to investigate. She was surprised at how easy it was to buy a number of used pacemakers online and take them apart. Moe also bought a pacemaker programmer for just 500 dollars off of eBay.
Speaker 3: 01:01 The same programmer that is used in hospitals to to change the setting of my pacemaker.
Speaker 2: 01:10 A programmer can change pacemaker settings the ones that determine whether her heart beats at the right rate. A hacker with the right skills would be able to access those settings now. The problem isn't really that individual medical devices can be hacked it's that entire medical systems are at risk. In fact in 2017 16 hospitals in the United Kingdom were temporarily shut down due to a ransomware attack. A hacker had infected computer systems of the virus and demanded payment to remove it. But Mo says cyber threats and hospitals and further technologies inside them can still seem theoretical. Industry data shows hospitals spend just around 5 percent of their I.T. budgets on cybersecurity. That's why Moe is just one of many cyber experts trying to raise awareness. He said.
Speaker 4: 01:57 Sir you're OK. Let's jump on the chance and help in here please. This patient has just rolled into a UC San Diego campus emergency room. His heart has stopped and Dr. Ro will name names and structure his colleagues to administer a shock. Go ahead shock him. Don't be alarmed. This patient is fine because well he's a talking dummy.
Speaker 2: 02:19 Naomi is a real doctor. But right now he's just acting because this isn't an emergency room. It's a simulation at UC San Diego Simulation Training Center and what these doctors and actors are recreating is a ransomware attack a patient's health hangs in the balance and people downstairs are watching in an auditorium.
Speaker 5: 02:37 We imagined what would happen if you were in a hospital and you needed to take care of someone who had a heart attack or someone who had a stroke but you couldn't access the very technologies that you rely on on a regular basis.
Speaker 2: 02:48 This scene is part of the cyber med conference. Jeff Talley who's both a doctor and a hacker is one of the organizers. He says he hopes to show the real impacts of a potential cyber event to medical and government leaders.
Speaker 5: 03:00 So this is something that we found is very much visceral and very tangible and that's people who are previously sort of removed from the bedside understand that this could have those types of implications in the real world.
Speaker 2: 03:13 This willingness among cyber experts to collaborate is something the Federal Drug Administration has noticed FDA very much believes in the idea of bringing the community together. That Suzanne Schwartz with the FDA Office of Strategic Partnerships. The FDA is responsible for clearing and approving consumer medical devices over the last five years it's partnered up with hackers and cybersecurity researchers. The FDA even organized a so-called We heart hackers challenge this year where Schwartz said manufacturers volunteered over 40 devices to be hacked.
Speaker 6: 03:44 It created a sense of safe space for the manufacturers who otherwise may be reluctant to participate in something like this.
Speaker 2: 03:53 And the researchers with a government presence as well at the 20 19 Def Con hacking conference in August. Hackers attacked real medical devices at a pretend hospital.
Speaker 6: 04:03 Plenty of hospital representatives really got a lot out of seeing the interactions that were happening within this device hacking lab.
Speaker 2: 04:14 The FDA also shares lessons learned with the Department of Homeland Security. Schwartz says ensuring patient safety requires collaboration not just among regulators but also with experts who can show where those vulnerabilities may lie. Selina SHAHANI K PBS news.
Speaker 1: 04:30 Joining me is K PBS science and technology reporter Selina Chad Loni and Selina welcome. Hey glad to be here. How is it that hospitals haven't paid more attention to the threat of hacking because the idea of having your medical treatment interfered with by some hackers is really terrifying.
Speaker 7: 04:49 Yeah I think that it's safe to say now hospitals have been paying more attention. It's just that logistically it's really hard to incorporate something like cyber purity into your infrastructure your security plans. When it's a relatively new concern that's come about. There was a 2018 article from The Journal of Medical Internet Research that says a potential breach can cost one hospital around seven million dollars. It's costly. So I think hospital providers are paying attention. But there are the logistical challenges are you. Think about how much technology you have. A lot of it is old. Some of it is new and it's hard to come up with a framework to secure all those things when all the technologies you have are so vastly different.
Speaker 1: 05:36 Well what happened during the 2017 ransomware attack on England's National Health Service.
Speaker 7: 05:42 How did England handle it so the attack that happened in England really shows the extent of the cyber security issue because it wasn't just England that experienced this attack it was a malware type virus called want to cry and it actually impacted hundreds of thousands of computers in over 150 countries England just happened to experience a number of hospital providers and under the National Health Services experience this. This malware ransomware intrusion and so what happened was that a lot of these hospitals had to temporarily shut down and cancel thousands of appointments. The National Health Services was really criticized for this later on after the attack happened because they had done surveys about whether their hospitals were cyber secure or not. And there weren't really protocols in place to deal with that because a major attack hadn't really happened and they weren't used to it. So what ended up happening actually is that there was a 22 year old blogger hacker who ended up finding this you're all with the virus and figuring out how to stop it but the giant organization ultimately was kind of scrambling when this occurred.
Speaker 1: 06:57 Now can you tell us more about what happened when you see San Diego simulated a cyber attack. How did the medical personnel respond to that. Yeah.
Speaker 7: 07:05 So what was so interesting about the simulation and Dr. Jeff Tully's is one of the organizers I asked him about this. He said it it's not just that the people in the auditorium downstairs are learning it's that the actual doctors in the room are learning as well. And so the doctor that you heard in the feature that was the first time he knew any of this was happening and he even said afterwards wow I learned so much I don't know what to do in a situation where I can't see the brain scan of the patient it's hard to make a call on what to do with the with the patient when you don't have access to the tools you're so reliant on.
Speaker 1: 07:44 Now is the FDA review of how medical devices could be hacked is that now a standard part of its approval review.
Speaker 7: 07:53 I'm not sure whether it's a part of the approval review but I do know it is a part of the pre market analysis that goes in when they have to submit submit a medical device to be reviewed. But that's to say that the onus is pretty much on the manufacturers. They're the ones that will have to update the software they're the ones that are going to have to make sure that they're complying with federal security regulations. The FDA did put out a white paper that sort of explains what their protocols are and they are looking into it but it's also hard because at the point at which a device gets to you the framework has already been developed. You get computers for example with a set of hardware and then you download the software to figure out how to secure it. So it's kind of a hard not to crack I think for the FDA and that's why they've been putting out a lot of guidance as to hospital providers and manufacturers to say hey this really needs to be a part of creating your device before you even get it to market.
Speaker 1: 08:57 And it sounds as if though from your feature that they're reviewing these devices individually when it comes to security. Is there anyone who's looking for the bigger picture picture back to your first answer about how difficult it is to have a big picture of security when it comes to so many individual devices that can be hacked in a hospital situation. Yeah.
Speaker 7: 09:18 I mean you've really got the idea that there's you know the FDA is out there reviewing consumer medical devices and that's their job but they aren't out there making sure that hospitals have the right cybersecurity protocols hospital systems and the technologies inside them are so complex you could have one hospital with a lot of money that's able to put in all of the safety requirements make sure that you know even all of their employees understand Don't open that email that might be dangerous. It comes down to the small things. But what about the hospital that doesn't have the resources and then they accidentally end up sharing patient data with another hospital that's that has you know malware attached to it. These things are very hard. So I think what's happening now is that there's just a larger conversation among regulators and people in the cybersecurity community about how do we inform people broadly how do we inform hospital systems broadly that this needs to be a part of how they're planning of their emergency protocols.
Speaker 1: 10:25 It's very interesting. Thank you so much I've been speaking with Kaye PBS science and technology reporter Charlene Chad. Loni thanks again. Thank you.