Like most \u201chands-free\u201d technology, Dick Cheney\u2019s wireless pacemaker let him travel freely without worrying about batteries or plugs. But in 2013, the former Vice President disabled its wireless functionality so that hackers couldn\u2019t remotely induce heart failure. \u201cI was aware of the danger, if you will, that existed,\u201d he told 60 Minutes.<\/i><\/p>\n
While Cheney developed a reputation <\/span>for fear-mongering during\u00a0his time in the public eye,\u00a0his paranoia over the security of his pacemaker wasn\u2019t unfounded. <\/span><\/p>\n \u201cAny device connected to the internet can be hacked, and this includes medical devices,\u201d says David Maman, CEO of artificial intelligence developer Binah.ai. \u201cIt\u2019s a matter of when, not if.\u201d<\/p>\n In the six years since Cheney made headlines for taking his pacemaker<\/span>\u00a0offline, the threat of medical devices being hacked has only grown.\u00a0<\/span>The global medical device market is expected to exceed $674 billion in the next three years, and wirelessly connected models are now ubiquitous in healthcare settings, with an average of <\/span>15 to 20 in each hospital room<\/span><\/a>. These devices\u00a0<\/span>can remotely administer medication, monitor vital signs, support organ function and send patients\u2019 health data directly to doctors. But thanks to increased wireless connectivity, software glitches and the growing sophistication (and boldness) of hackers, they\u2019re often vulnerable to infiltration by<\/span> outsiders<\/span>\u00a0and\u00a0even patients themselves.\u00a0<\/span><\/p>\n The healthcare sector, which accounted for 41 percent of all cybersecurity breaches <\/span>reported in 2018<\/span><\/a>, is particularly susceptible to hacking. The\u00a0Cisco\/Cybersecurity Ventures 2019 Cybersecurity Almanac<\/a>, a compendium of cybersecurity statistics, predicts that healthcare will suffer two to three times more cyberattacks this year than other industries, on average. <\/span>Fortunately, device manufacturers, researchers, healthcare providers and government agencies are ramping up efforts to protect patients and their medical devices from malicious attacks. But no singular security measure is going to do the trick; experts say the key to mounting a successful defense against hacking is for everyone affected by the problem \u2014 patients included \u2014 to work together.\u00a0<\/span><\/p>\n In most ways, medical devices became\u00a0<\/span>a lot more convenient and reliable once they became wireless.\u00a0<\/span>Some implanted devices, like pacemakers, run on Bluetooth, a lower-power technology that only works in close proximity; others<\/span>\u00a0need stronger network connections to allow tracking and response from afar. <\/span><\/p>\n Diabetes patients use a wireless remote control for their insulin pumps. Wireless transmitters in pacemakers or cardiac monitors let healthcare providers detect irregular heartbeats and modify settings or instructions to the device accordingly. Cochlear implants, gastric and deep brain stimulators, and MRI machines also connect to wireless networks. Many hospitals now have robotic assistants to dispense medicine at the bedside, with nursing stations or tele-medical staff monitoring their actions. As helpful as these life-changing products are, hospitals and device-makers know they can also be <\/span>woefully insecure<\/span><\/a>.<\/span><\/p>\n \u201cThe good news is that nobody is known to have died as of yet from any critical, life-giving medical device,\u201d says Ray Walsh, digital privacy expert at ProPrivacy.com.\u00a0<\/span>\u201cHowever, medical devices have been proven to harbor vulnerabilities that can be exploited by hackers.\u201d<\/span><\/p>\n A vulnerability is a software bug or glitch that might leak information or grant unauthorized access to the device in question; medical devices harbor an average of <\/span>6.2 vulnerabilities each,<\/span><\/a> according to <\/span>one report<\/span><\/a>. A hacker can hijack a vulnerable device in different ways, including by disabling it altogether, draining the battery, changing a medication dosage, displaying fake vital signs and issuing a fatal shock. Often, to carry out these types of attacks, hackers<\/span>\u00a0infect devices with malware, meaning software designed to disrupt, damage or gain access to a system. <\/span>In a recent survey<\/span><\/a> by the College of Healthcare Information Management Executives, 18 percent of provider organizations reported that their<\/span> medical devices were affected by malware or ransomware<\/span><\/a> in the previous 18 months. Ransomware attacks on healthcare organizations are predicted to quadruple between 2017 and 2020, according to the Cybersecurity Almanac.<\/a><\/span><\/p>\n Some glitches are considered <\/span>\u201czero-day vulnerabilities\u201d \u2014 they don’t come to light until the day they’re unmasked.<\/span><\/p><\/blockquote>\n In a lot of cases, vulnerabilities can be anticipated and fixed before hackers can take advantage of them. But some glitches are considered <\/span>\u201czero-day vulnerabilities\u201d \u2014 they don’t come to light until the day they’re unmasked. <\/span>\u201cBecause they’re unknown until they’re discovered, the manufacturer of the device has \u2018zero days\u2019 to get the vulnerability patched in order to inhibit the risk of exploitation,\u201d explains Walsh. \u201cIn cases where an exploit could lead to a loss of life, potential zero-days are extremely concerning.\u201d<\/span><\/p>\n The late security researcher and famous \u201cwhite hat\u201d hacker Barnaby Jack was in the business of proving that seemingly unbelievable hacks \u2014 the stuff of spy movies \u2014 could easily happen in real life. While presenting at a security conference in 2012, Jack live-hacked a wireless insulin pump that he\u2019d placed in a see-through mannequin, administering a lethal dose of insulin to the dummy from 300 feet away. He also developed a way to send a high-voltage electric shock to any pacemaker within a 50-foot radius. Jack was going to reveal his technique for hacking pacemakers at a 2013 security conference, but <\/span>died suddenly<\/span><\/a> a week before the talk.<\/span><\/p>\n Jack\u2019s theatrical demonstrations forced people, including government officials, to acknowledge security weaknesses in critical, widely used medical devices. <\/span>Walsh says that several factors contribute to the vulnerabilities that Jack, among other security experts, have called attention to. For example, some devices come with hard-coded passwords that are easier to guess than ones created by users.\u00a0<\/span>Complicating the matter, added security features might tax a device\u2019s storage or energy, or even slow down the process of authorizing device access during emergencies.\u00a0<\/span><\/p>\n Some cyberattacks infiltrate entire networks, not just one device, to thwart hospital operations or collect personal information. In 2017, a cyberattack called Wannacry unleashed chaos in hospitals worldwide. \u201cThis attack took advantage of a security flaw that was present in the Microsoft Windows operating system, shutting down the entire hospital network,\u201d says Joe Flanagan, software engineer at <\/span>GetSongBPM<\/span><\/a>. In as many as 140 British hospitals, WannaCry blocked the network\u2019s ability to check schedules, resulting in patients missing surgery appointments.<\/span><\/p>\n Coordination among manufacturers, patients, providers\u00a0and government could be our best defense against cybercrime.\u00a0In January, a coalition of hospitals and medical device manufacturers <\/span>released a security plan<\/span><\/a> that proposed basic measures for manufacturers to implement and hospitals to demand. To heighten security awareness from the start, the FDA has issued guidance for the earliest stages of medical-device submission: specific lists of cybersecurity hazards, established controls, and plans for future software updates and patches. In 2017, the FDA recalled 465,000 pacemakers to bolster their security features in hopes of preventing hacks.<\/span><\/p>\n Device makers often challenge security experts like Jack to hack their devices. And to comply with federal cybersecurity mandates, hospitals are developing processes to prevent, handle and respond to breaches and threats. <\/span>When necessary, Walsh explains, hospitals arrange for patients to receive updated firmware with security patches on their devices.<\/span><\/p>\n Many diabetes patients had already begun to hack their own insulin pumps.\u00a0<\/span><\/p><\/blockquote>\n If patients feel that software settings are beyond their grasp, they do have one powerful resource at their disposal: starting a dialogue with doctors and nurses.<\/span><\/p>\n \u201cI see protection of medical devices being a consumer-led effort,\u201d says <\/span>Amelia Roberts, a registered nurse and healthcare consultant. \u201c<\/span>Patients can remain aware by asking their providers, \u2018How are hospital staff being educated on recognizing and responding to a compromise versus an attack?\u2019 \u2018How is my medical device being kept safe from hacking?\u2019 In short, getting us healthcare folks to even discuss this is the best way to improve the situation.\u201d<\/span><\/p>\n That said, not every hack is purely malicious, and device hackability can even be a boon to patients. <\/span>In 2016, an insulin pump manufacturer discovered a vulnerability that enabled hackers to \u201cspoof\u201d communication between an insulin pump and its remote control. By imitating an authorized user, the hacker could command the pump to deliver unauthorized insulin. The manufacturer disclosed the vulnerability to the FDA and issued directions for protection to diabetes patients and their providers. But many diabetes patients were way ahead of the game, and had already begun to hack their own insulin pumps.<\/span><\/p>\n Traditionally, patients need to check their glucose monitor and manually adjust the insulin that regulates blood sugar levels. While this can be onerous enough during the day, it\u2019s downright excruciating at night, when blood sugar tends to fluctuate. So patient hackers developed and shared instructions to build an open-source \u201cartificial pancreas system,\u201d or <\/span>OpenAPS<\/span><\/a>. The companion app reads the glucose monitor, determines whether to increase or decrease insulin and then converts the smartphone\u2019s Bluetooth into a radio signal that registers on the pump as a command to release more insulin automatically. This system hasn\u2019t been blessed by the FDA, but doctors acknowledge its benefits. And because early hacking was only possible due to a \u201cflaw\u201d \u2014 the ability to receive and follow external orders \u2014 newer devices actually bake that innovation into a system that does have FDA approval.\u00a0<\/span><\/p>\n In <\/span>a video posted by CNBC<\/span><\/a>, an endocrinologist with pump-hacking patients said: \u201cI personally don\u2019t know of any major problems that have occurred. Mostly what I am hearing is: People are extremely happy with their results.\u201d<\/span><\/p>\n More patients are relying on wireless pacemakers, insulin pumps and other devices. What happens when this life-saving tech gets hijacked? <\/p>\n","protected":false},"author":44,"featured_media":18332,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[229],"tags":[114,131],"class_list":["post-18331","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-healthcare-trends","tag-data","tag-tech","reviewer-dr-nassim-assefi"],"yoast_head":"\n
\nHigh tech, low security<\/h3>\n
Teaming up\u00a0<\/span><\/h3>\n
DIY hacking<\/span><\/h3>\n
\nReady to book a doctor’s appointment? Visit Zocdoc.<\/span><\/a><\/span><\/h1>\n","protected":false},"excerpt":{"rendered":"