It’s a scary world out there when you think of hackers getting access to your bank accounts, email, or social media sites. It’s quite another thought when hackers get access to medical devices and run havoc. It almost sounds like something we would see in a movie, like “The Net.”
Oh, let’s talk about the “The Net”… For those of you who haven’t seen this movie, obviously, spoilers ahead. For those of you who saw that movie and don’t quite remember, here is a quick summary: Sandra Bullock is a systems analyst who gets herself into a sticky spot by seeing something she isn’t supposed to see. Fast forward to a scene in a hospital with Sandra and her psychiatrist. The psychiatrist is placed into the hospital due to an allergic reaction to penicillin.
Sandra leaves the hospital and comes back a few hours later. When she enters onto the hospital, she sees alarms going off in her psychiatrist’s room. She attempts to get into the room and is promptly escorted out. Her psychiatrist dies a few minutes after revival attempts. After Sandra inquires about the death, she is told it is due to insulin shock since he was checked in for diabetes treatment. At this point, Sandra has a heated discussion of why this is not correct and leaves the facility.
Let’s take a step back. This movie came out in 1995. However, this very scene, which is portrayed in many ways in many movies, books, and television shows, has many implications that exist today.
Last month, Wired published the article “It’s Insanely Easy to Hack Hospital Equipment” that discussed a two-year-old study in which a team and their leader, Scott Erven, found that most medical devices could be manipulated remotely to change settings that could prove detrimental, or deadly to a patient.
Last year, a briefing at a Black Hat hacker’s convention showed how insulin pumps can be stimulated to give more insulin or no insulin just by switching batteries. Another presentation was scheduled to discuss “how to kill a man at 30 feet by hacking his pacemaker.”
Stories that you only expect to see on television shows, in books, or movies are gradually becoming reality. You might be thinking to yourself that maybe hackers would have to get access to the hospital network to get and exploit sensitive information like this. This, however, is also far from reality.
These days, medical records sell for roughly $60 on the black market, which opens up a new whole set of issues to deal with besides manipulating devices, such as fraud. The Wall Street Journal did a basic search and was able to locate patient information on 4shared.com.
So if this behavior is becoming more rampant, what is being done to mitigate this? These types of conversations have been occurring on and off for the past decade. The Military Health System started first in 2008 by releasing the DOD Information Assurance Certification and Accreditation Process (DIACAP) to help stay in compliance with the Federal Information Security Management Act, but other groups remained stagnant. For more info see: Who’s Hacking Your PACS?
In 2012, the main problem was stated by John Halamka, CIO at BIDMC:
I can’t update them, and the manufacturers aren’t updating them, so they can become vectors for malware.
The Government Accountability Office released a report that same year stating that the “FDA should expand its consideration of information security for certain types of devices.”
After eight months, the FDA reached out to manufacturers, hospitals, and many other types of audiences to address vulnerabilities that could be exploited by hackers or viruses and provides guidance via a cybersecurity clause that allows for a post-market device to be patched without requiring re-certification.
Meaningful Use is the word around the health care vine, and it’s meant to make sure the information being captured is “meaningful” and quality data. We expect that this quality data, our protected health information (PHI) that we entrust to providers, is safe and secure as well. It takes work and testing, but the end result is comfort in knowing that your care is being taken care of and safeguarded.
So what does that mean for the rest of us? We had some idea that this type of situation could potentially occur, but maybe never realized how bad it has become. What are the next steps that we need to take?
This is something we all need to think about for the future and work as a team to make life easier and hopefully better. You decide!
Deepika Patel
Latest posts by Deepika Patel (see all)
- Technology in the Medical World - June 9, 2015
- Healthcare Consumerism: Who’s Really Making the Decisions? - April 28, 2015
- Integrating the Healthcare Workplace: Diverse Roles Must Unite for Patient Care - March 10, 2015