Just How Safe Are Medical Devices? Protecting Patients From Cyber Attacks

In early January 2017, the U.S. Food and Drug Administration (FDA) confirmed that pacemakers and implantable defibrillators (ICDs) manufactured by St. Jude Medical (now Abbott) are vulnerable to cyber hacking.¹ This completed months of cooperative investigation and evaluation by both the company and the FDA. An announcement was made on January 9, 2017 that Abbott — who had recently completed the acquisition of St. Jude Medical — had provided an automatically installed software patch to address these cybersecurity vulnerabilities.² Remote home monitoring has been shown to be incredibly effective at reducing hospitalizations and improving the care of patients with implantable cardiac devices. When pacemakers and other medical devices are monitored wirelessly via home transmitters that are continuously connected to the internet, some have suggested that this could pose a security threat. 

According to the FDA, the issue at hand with St. Jude Medical (Abbott) devices is that hackers could potentially access the Merlin@home transmitter and reprogram the device or prematurely deplete the battery, putting patients at significant risk. 

The idea that cyber hacking of medical devices is even possible was once thought to be something from a science fiction story. Now it is becoming a reality, and it is not just pacemakers and ICDs that are at risk. Multiple reports of attacks on the IT systems and medical devices involved in healthcare have recently surfaced. From secure medical record systems to radiology reporting software to insulin pumps, numerous vulnerabilities were identified over the last year. In 2016, the Department of Homeland Security disclosed cyber vulnerabilities in hospital-based drug-dispensing machines, and the FDA warned about security issues associated with certain common hospital infusion pump machines. In February 2016, Hollywood Presbyterian Medical Center in Los Angeles was locked out of all of its electronic medical records and paid a $17K ransom to have its access re-established.³ In this particular case, malware was introduced into the hospital’s electronic record system, allowing hackers to hold the IT resources hostage for almost ten days. Also in 2016, Johnson and Johnson notified 114,000 patients that their Animas OneTouch Ping insulin pump devices were vulnerable to hackers — the pumps could be remotely disabled or changed to deliver an altered dose of insulin.⁴  A report released by Forrester Research in November 2015 suggested that pacemakers, insulin pumps, MRI scanners, and numerous other medical devices are non-secure and subject to attacks by malware and other hacking efforts.⁵ Experts now agree that any medical device that is connected to the internet is vulnerable — although some are more easily accessed than others. Most cybersecurity professionals contend that the encryption and security measures that have been utilized with medical devices are nearly a decade behind what should be in place. Many medical devices run on older and outdated Windows-based platforms (e.g., Windows 7 and Windows XP) that have known security issues, making it much easier for hackers to gain access. Some estimate that medical device makers and healthcare facility IT departments spend less than 6% of their annual budgets on cybersecurity — putting patients at significant potential risk. To this point, there has been a general disregard for medical device security, mainly due to most healthcare professionals simply not being aware of the potential problems. However, more risks and vulnerabilities are exposed every single day in a variety of medical devices — from MRI scanners to pacemakers — and I believe this is a call to action for all of us in the healthcare space.  

INTERNET-CONNECTED MEDICAL DEVICES ARE AT RISK: IS THERE GUIDANCE FROM THE FDA?

As medicine becomes more digitally connected with patient devices being accessed via smartphones, tablets, doctor’s offices, and hospital systems, security vulnerabilities are becoming more of a concern. In December 2016 (before the current St. Jude Medical findings were released), the FDA published guidelines regarding cybersecurity issues in medical devices.⁶ In the document, the FDA makes it clear that all medical devices are at risk and that more must be done by industry in the pre-market phase to design more secure portals for data collection and device integration. In addition, the FDA correctly states that more study is needed to identify potential risks and impact to patients. The guidance statement goes on to recommend much more vigorous post-market cybersecurity surveillance programs, and suggests that all of the findings should be shared with the FDA. I expect that in the future, there will be a great deal more regulation involved for medical devices that are capable of wireless communication across the internet. 

EXACTLY HOW DID THE ST. JUDE MEDICAL DEVICE SECURITY ISSUES UNFOLD?

In order to gain better insight into how cybersecurity issues have been handled in the past by the medical device industry, we need to more closely examine what happened last fall. The issue of device hacking began in August 2016, when Muddy Waters,⁷ a privately owned investment research firm, first suggested that these vulnerabilities existed with St. Jude Medical devices after receiving a concerning security report from an independent cybersecurity company called MedSec.⁸ At the time, MedSec claimed that their research suggested that St. Jude Medical was “by far the least secure” of the four largest implantable cardiac device makers in the United States. St. Jude Medical responded by saying that the report was “false and misleading” and was intended for “financial gain.”^9,10 

In September 2016, St. Jude Medical announced it had filed a lawsuit against Muddy Waters and MedSec for “false statements, false advertising, conspiracy and the related manipulation of the public markets in connection with St. Jude Medical’s implantable cardiac management devices” — and ardently defended the safety and security of their devices.¹¹ St. Jude Medical has since collaborated with agencies including the U.S. FDA and the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) unit to implement cybersecurity updates to their devices.² The FDA safety report was released on January 9, 2017. 

HOW CAN WE KEEP PATIENTS SAFE?

When it comes to securing medical devices, there are more questions than answers. First of all, we need to insist that the medical device industry works to ensure the security of their devices prior to entering the market. Our lawmakers and the FDA must do more to regulate the medical device industry — we must set more stringent and informed security standards for healthcare in general. Simply put, we must all — healthcare providers, researchers, IT experts, and medical device industry leaders — do more to put patients first.  We must ask the hard questions, including:

What is being done to protect those with insulin pumps? 

What is being done to handle secure data from MRI machines, electronic medical records, and IT systems? 

How secure are other “connected” medical devices?

I think it is important for all device makers to be proactive and tell us what we need to know — what are they doing NOW to protect patients from cyber attacks? From a regulatory perspective, we need strict guidelines with regards to security and cyber vulnerabilities. All medical facilities and device makers must put new procedures in place, such as isolating medical devices with internal firewalls, developing strategies to review and remediate existing devices, and devising strategies to deal with devices at end of life — just to name a few. We must ultimately hold device makers to a higher cybersecurity standard, and ensure that patients are safe in an increasingly connected world.

WHAT ABOUT REMOTE MONITORING — WHAT’S NEXT?

Remote monitoring has been shown time and again to be an important part of the device follow-up and support process. Many patients benefit from remote monitoring — hospitalization rates are decreased and treatments for changes in status can be initiated long before the patient becomes symptomatic. Abnormalities in devices can be identified and remedied before a catastrophic event occurs. It is vital that we continue to remotely follow our patients. We must reassure patients that remote monitoring remains safe and that we are all working diligently to make sure that their connected devices are safe from cyber attacks. 

As EP professionals, we must ask more questions and initiate more trials. We must collaborate with experts in the IT world and devise better ways to protect the security of medical devices. Through research and study, we will be able to better identify vulnerabilities and improve security. Just as we demand that manufacturers provide us with high-quality devices to use to treat our patients, we must also demand that the device industry redouble their efforts to improve security and upgrade systems in order to restore patient confidence and avoid future vulnerabilities to hackers.

References

1. Cybersecurity Vulnerabilities Identified in St. Jude Medical’s Implantable Cardiac Devices and Merlin@home Transmitter: FDA Safety Communication. U.S. Food & Drug Administration. Published January 9, 2017. Available online at https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm535843.htm. Accessed February 24, 2017.
2. St. Jude Medical Announces Cybersecurity Updates. St. Jude Medical. Published January 9, 2017. Available online at https://media.sjm.com/newsroom/news-releases/news-releases-details/2017/St-Jude-Medical-Announces-Cybersecurity-Updates/default.aspx. Accessed February 24, 2017.
3. Gallagher S. Hospital pays $17k for ransomware crypto key. Ars Technica. Published February 18, 2016. Available online at https://arstechnica.com/security/2016/02/hospital-pays-17k-for-ransomware-crypto-key/. Accessed February 24, 2017.
4. Finkle J. J&J warns diabetic patients: Insulin pump vulnerable to hacking. Reuters. Published October 4, 2016. Available online at https://www.reuters.com/article/us-johnson-johnson-cyber-insulin-pumps-e-idUSKCN12411L. Accessed February 24, 2017.
5. Predictions 2016: Cybersecurity Swings To Prevention. Forrester Research. Published November 12, 2015. Available online at https://www.forrester.com/report/Predictions+2016+Cybersecurity+Swings+To+Prevention/-/E-RES117390. Accessed February 24, 2017.
6. Postmarket Management of Cybersecurity in Medical Devices. U.S. Food & Drug Administration. Published December 28, 2016. Available online at https://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf. Accessed February 24, 2017.
7. Muddy Waters Research. Available online at https://www.muddywatersresearch.com/. Accessed February 24, 2017.
8. About MedSec. Available online at https://medsec.com/about.html. Accessed February 24, 2017.
9. St. Jude Medical Refutes Muddy Waters Device Security Allegations and Reinforces Security of Devices and Commitment to Patient Safety. St. Jude Medical. Published August 26, 2016. Available online at https://media.sjm.com/newsroom/news-releases/news-releases-details/2016/St-Jude-Medical-Refutes-Muddy-Waters-Device-Security-Allegations-and-Reinforces-Security-of-Devices-and-Commitment-to-Patient-Safety/default.aspx. Accessed February 24, 2017.
10. St. Jude Medical Statement on Muddy Waters October 19, 2016 Claims. St. Jude Medical. Published October 19, 2016. Available online at https://media.sjm.com/newsroom/news-releases/news-releases-details/2016/St-Jude-Medical-Statement-on-Muddy-Waters-October-19-2016-Claims/default.aspx. Accessed February 24, 2017.
11. St. Jude Medical Brings Legal Action Against Muddy Waters and MedSec. St. Jude Medical. Published September 7, 2016. Available online at https://media.sjm.com/newsroom/news-releases/news-releases-details/2016/St-Jude-Medical-Brings-Legal-Action-Against-Muddy-Waters-and-MedSec/default.aspx. Accessed February 24, 2017.