It’s been about 10 years since security researcher Jay Radcliffe stepped on stage at a conference and demonstrated he was able to hack into his own insulin pump. If he had wanted, he could have used the pump to deliver a lethal dose of the drug into his system. Instead, he called for medical companies to take the security threat seriously.
These and similar presentations were wake-up calls about the potential danger of connecting compromised medical devices to the Internet, says Mike Johnson, a securities technology expert at the University of Minnesota’s Technological Leadership Institute.
Over the past decade, the number of connected medical devices – drug infusion pumps, pacemakers, monitors – has exploded, making the problem even more pressing. Security researchers estimate that there are an average of 10 to 15 Internet-connected devices on each hospital bed. “It’s only a matter of time,” says Johnson. “There are more devices and more exposure.”
This exposure is one of the reasons the University of Minnesota established a new Center for Medical Device Cybersecurity, which was founded in early September in partnership with medical device companies like Medtronic (which made Radcliffes pump) and Boston Scientific. The center will act as a hub to help groups who touch medical devices at every stage of their life cycle, from their development to bedside use, to understand and manage cybersecurity risks.
“We want to involve all of these participants in the process and hopefully give them tools,” says Johnson, who is involved with the center.
The Verge spoke to Johnson about the centre’s goals and cybersecurity risks surrounding medical devices.
This interview has been edited slightly for the sake of clarity.
Why is it important to focus on medical device safety?
Medical device safety has been on the radar of safety risk managers for a decade or more. All of a sudden there was an explosion in healthcare around connected devices. The number today is 10 to 15 devices connected per hospital bed, and that is a combination of bedside devices and possibly portable or implanted devices. The more things we add to a network, the more likely it will be affected.
There hasn’t been a truly high profile case of a patient being killed or seriously injured, but it’s only a matter of time.
There hasn’t been a truly high profile case of a patient being killed or seriously injured, but it’s only a matter of time. We know the criminal element is changing. They are mostly money driven, but there are other people who are making a splash, like a terrorist group trying to kill someone over the internet.
As the risk increases, security experts and device manufacturers and others say, “Well, we really need to be one step ahead of that.” The healthcare system is not waiting for the massive accident.
Ransomware attacks About hospitals is a significant and escalating issue for the healthcare system in the United States. Does this also have an impact on medical devices?
Perhaps the most immediate threat comes from ransomware. We have seen it over and over and we see that it may affect patient safety. So you might be asking, “What does a medical device have to do with ransomware?” But it’s part of the whole ecosystem. An attacker might not take over a device, but if the device relies on a single connection point and ransomware takes over the command server for the devices, all of the devices can stop working.
We want to understand the security of the device itself, but we also want to understand where the device is in the ecosystem – what factors are important to its function? What could happen to it?
Medical device companies make the products that can be hacked, but doctors and hospitals use them – and these groups often don’t have the same cybersecurity resources or skills. How are you involved in these conversations?
Suppliers are exposed to many risks, medical devices are just one of them. A medical device is connected to the network, as well as heating, ventilation and air conditioning. Both have equally important risk issues that need to be addressed.
When I think of the spectrum, if you have a device manufacturer on the left, then it’s about the nuts and bolts of that device. On the right side you have a system like a hospital that has a cybersecurity risk and has something to protect. In the lifecycle of a device, it starts with the manufacturer, and when they do a good job that’s great – but when they ship it, it can be less safe because of being deployed in a hospital or health center. That increases the risk.
You are an important part of the system and hopefully a part of the center. There’s a very large health system in Minnesota that we spoke to as we expanded.
Hospitals aren’t the only places with internet-enabled medical devices – pacemakers are implanted in people’s bodies, and smartwatches can make diagnoses heart problems, and people measure their blood pressure through app-connected cuffs at home. Can we protect them too?
The home network can be a scary place for everything important. Resources are not the same, and there are all sorts of things that can go wrong. But you have to look at everything in terms of risk and impact. For example, if a blood pressure monitor is hacked, the results could be tampered with. Even so, patients with high blood pressure see their doctor regularly enough to double check these numbers – and maybe it wouldn’t be too dangerous. On the other hand, something like a pacemaker is physically located inside the patient. Playing with it would be a different story.
The home network can be a scary place for everything important.
If manufacturers knew this was going to end up in someone or someone’s home, they would conduct a risk and threat assessment to understand what could happen and how big it would be. Then they would design the security controls with that in mind. We hope that a manufacturer will design it so that you have a secure connection even on a poorly secured network.
What is the first step for the center to improve this ecosystem?
In the beginning, we really focus on generating interest, getting people into the consortium and offering further training opportunities. We have a hackathon that the center is involved in and we’re starting our first introductory course on device cybersecurity. We target everyone from big players like [medical device company] Abbott to smaller groups. Medical device cybersecurity is quite specialized. So this is intended for engineers or anyone else in the product development cycle who wants to understand why safety is important and how it can be improved.
It’s been about a decade since this became an important topic. How far still has to go to protect the entire ecosystem around medical devices?
Security is not a fixed end state. There will be no end state. It is always a process of improving where improvement is needed and protecting the things that are most important to protect. We want to prioritize the changes that make the most difference and raise the bar over time.