What to ask hospitals about medical device hacking preparedness


Photo: Pia Christensen/AHCJMay Wang, chief technology officer at cybersecurity firm Zingbox, said that connected medical devices often are not used efficiently.

It’s only a matter of time before a patient is harmed through medical device hacking, and journalists have many resources to probe whether their local health providers are able to prevent or respond to such an event, said a panel of experts at Health Journalism 2018 in Phoenix.

To date, there are no documented cases of patients harmed by medical device hacking, said panel moderator and independent journalist Mark Taylor. But reporters should be asking their local hospitals about this specific cybersecurity threat.

Historically, medical devices were relatively secure from tampering because they were not connected to computer networks. That is no longer true today, said Roman Lysecky, associate professor of electrical and computer engineering at the University of Arizona in Tucson.

“The benefits of connectivity came with the risks of hacking,“ Lysecky said.

Protecting patients from this risk is expensive, time consuming and requires a multifaceted approach, panelists said.

The three primary challenges for protecting connected medical devices are inventory, security and operations, said panelist May Wang, chief technology officer at Zingbox, a cybersecurity firm.

Many hospitals don’t have real-time inventory tracking and so don’t know how many or the location of connected medical devices, Wang said. In the event of a hack, an inability to locate and shut down medical devices quickly is a vulnerability. Many medical devices aren’t secure in that they are using older operating systems vulnerable to cyberattack, their security systems are not upgraded frequently or the devices are not encrypted. And from an operations perspective, connected medical devices often are not used efficiently, Wang said.

Zingbox’s 2018 threat report on connected medical devices indicated that the most commonly connected medical devices are infusion pumps, imaging systems and patient monitors. Imaging systems had by far the most security issues, according to the report.

Journalists covering medical device security should read the Health Care Industry Cybersecurity Task Force Report to Congress, released in June 2017, said Jeff Tully, M.D., resident anesthesiologist at the University of California-Davis Medical Center, and panelist. The report lays out the biggest vulnerabilities facing health providers, including legacy equipment, lack of talent to work cybersecurity jobs, and premature over-connectivity of medical devices.

The panelists also suggested reporters contact medical device manufacturers to find out how they are addressing security concerns across the whole life cycle of their products, not just after they are shipped to hospitals.

Tully brought up a great question that we don’t hear much today in our hyper-connected world: Does everything need to be connected to everything else?

Requirements for hospitals and physician offices to adopt electronic health records “drove a sense of everything needs to be connected,“ Tully said. “We are taking a step back and saying, maybe we don’t need to do that.”

A pessimist might say, “If you can’t afford to protect it, you can’t afford to connect it,“ Tully said. He added that as a Marvel Comic fan, he prefers to think of it as, “With great connectivity comes great responsibility.”

Creative Commons License

Republish our articles for free, online or in print, under a Creative Commons license.