Smart Medical Devices Call For Smarter Cyber Security

Medical devices are increasingly connected – which means they’re also increasingly vulnerable.

By Lauren SilvermanSeptember 14, 2015 8:30 am, ,

This story originally appeared on KERA Breakthroughs

Giving a hospital patient drugs used to be so analog.

Nurse Brandi Crow says up until 20 or so years ago, she and other nurses counted drops or made calculations by hand to determine the correct rate and dose of IV fluid and medications. These days, so-called smart pumps determine the dosages of everything from antibiotics and pain medications to chemotherapy drugs.

“They’re wireless,” she says. “They’re on the hospital wireless network, you don’t think about anybody really breaching that. Why would they want to get into a medical device?”

Crow, an analyst with Dallas-based healthcare research company MD Buyline, says hospitals are now starting to realize the potential danger of smart infusion pumps.

“You’re worried about someone going in and getting out a patient’s medical history,” Crow says. “You can get patient information, you can get financial information, all kinds of things through that. So whether it’s malicious or not malicious you’re opening yourself up for considerable risk.”

At some high-tech hospitals, pharmacists can prescribe and set up pumps remotely. The risk associated with a hack have caught the attention of the Food and Drug Administration. Earlier this summer, for the first time, the FDA warned caregivers to stop using a specific infusion pump because of its vulnerability to hacking.

The pump singled out by the FDA is the Symbiq Infusion System, created by Hospira (now part of Pfizer) and is no longer in production. Hospira declined an interview with KERA, but in a statement said the company has designed “our next-generation infusion systems with enhanced network security protections in place.”

Why Connect Pumps? 

There are good reasons for pumps to be wireless and connected to pharmacists, nurses and a patient’s medical record. For one thing, drug orders can be very complex: you have to get the dose, concentration and flow rate right. Typing in that data leaves room for serious errors.

Dan Pettus, vice president of information technology with medical device company CareFusion, says smart pumps make it possible to program and update that information remotely.

“A connected system gives someone remotely the ability to view what’s happening at the patients’ bedside,” he says. “[It] could be very valuable for a pharmacist or a nurse to check the order, and that raises the bar for the efficiency and safety of these infusion devices.”

And it’s true — smart pumps can make patients safer. A 2004 study at Vanderbilt University Medical Center found CareFusion’s pumps helped prevent errors with the blood-clot drug heparin.

Increased safety is one reason the market for smart pumps is expected to grow to$3.6 billion by 2017, according to MD Buyline.

The Risks Of Overlooking Cyber Security 

Jay Radcliffe, a hacker and type 1 diabetic, knows the benefits and dangers of medical devices firsthand. In 2011, he hacked his own insulin pump, and was able to write a program to turn it on and off, even change the therapy settings.

“The battle is that technology moves a lot faster than the agencies do,” he says.

Radcliffe, who now works for cyber security company Rapid7, says many hospitals still use pumps that are 10 years old – which he compares to using a Windows 95 computer for financial transactions.

“[Medical device makers] seem to be lagging behind,” Marty Edwards says . “They need to work towards fixing that.”

Edwards is director of the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) at the Department of Homeland Security. His team works with researchers and device makers to address cyber security threats. He expects to see an rise in the number of medical devices that are flagged for vulnerabilities.

“This is an area that’s people are just starting to scratch the surface on from a research perspective,” he says.

Both Edwards and Radcliffe say there has been progress. Device makers are increasingly working with hackers rather than against them to identify and fix flaws.

Dan Pettus with CareFusion recognizes that even with the best software and encryption methods, companies still have to bring in so-called white hat hackers to test the devices.

“And they will try everything under the sun to hack into that system,” Pettus says. “And you know what? They’re always going to find something because it’s an extremely complex ecosystem.”

Occasionally, what they find is a bad password.

Seriously.

Hacker Jay Radcliffe says hospitals sometimes purchase infusion pumps off the shelf and don’t change the default password. Still, he’s not overly concerned.

“There’s risk in everything we do,” Radcliffe says. “If I’m in a hospital and I’m in a life threatening situation and I need to be hooked up to a medical device, the risks of me dying far outweigh any minor risk of attack that could occur from a cyber security issue.”

As medical devices learn to talk to each other, Radcliffe says it’s important we do, too. Patients, hackers and hospitals have to be connected to stay ahead of new threats.