Still, experts say, hospitals and device manufacturers can’t afford to be complacent. They need to use multiple defenses to guard against the threats posed by the Internet.
In addition to the wide array of hospital devices, implantable devices such as pacemakers, insulin pumps and defibrillators can be remotely monitored through wireless networks, making them susceptible to hacking.
“There’s almost no medical device that doesn’t have a network jack on the back,” said John Halamka, chief information officer at Beth Israel Deaconess Medical Center in Boston. “To fight the evils of the Internet, not only do you have to have a moat, you have to have a drawbridge, burning oil to pour on attackers, and guys with arrows.”
Kevin Fu, who heads the Archimedes Center for Medical Device Security at the University of Michigan, said that several hospitals in 2010 and 2011 were forced to temporarily close their cardiac catheterization labs, which typically perform procedures to widen blocked arteries, because critical devices were infected. At least one patient had to be moved to another hospital.
At Beth Israel some years ago, fetal monitors for women with high-risk pregnancies were infected with malware that slowed the devices’ response time. Patients were not harmed and the problem was eventually fixed, Halamka said. Now the hospital is one of the most aggressive in the country in countering cybersecurity risks.
The FDA has a database for reports of adverse events, but quantifying cybersecurity incidents involving medical devices is nearly impossible. People reporting problems are usually not trained to identify malware as a cause.
Device manufacturers can solve the problems most easily but have the least incentive, because doing so is expensive, experts said. Hospitals, which buy the devices, want improved security but often lack the resources or technical expertise to make the software fixes. Experts say manufacturers typically refuse to apply software patches, claiming the FDA does not allow updates to regulated devices, but FDA officials say that is not the case.
At Beth Israel, about 15,000 devices run on the hospital’s network on a typical day. About 500 of them are using older operating systems most susceptible to malware infection, most often medical devices outside the direct control of the hospital, Halamka said.
The hospital isolates these devices from the Internet and scans its entire network monthly to find new risks. It is doubling its information technology budget next year.
The Veterans Health Administration created a protection program several years ago to eliminate malware and viruses. The federal agency scans flash drives and other portable media for viruses and limits the number of devices connected to the Internet.
The ultimate answer, many experts said, is for manufacturers to build their systems in a way that supports the use of anti-virus software and permits fixes.
Mark B. Leahey, president of the Medical Device Manufacturers Association, said the industry wants to work with “all the stakeholders” to fix weaknesses.
Bernie Liebler, director of technology and regulatory affairs for the Advanced Medical Technology Association, another trade group, said patient safety is industry’s biggest priority.
Academic researchers, government officials and industry experts have ratcheted up warnings in recent years. A public-private federal advisory committee noted last year that no agency had primary responsibility for medical device security. Also last year, the DHS and the Government Accountability Office issued reports about potential problems.
Several years ago, Fu and other researchers demonstrated in a lab how a combination heart defibrillator and pacemaker was vulnerable to computer hacking. The researchers gained wireless access to the device and reprogrammed it to deliver jolts of electricity that would have potentially been fatal if the device had been in a person.
Fu said he believes that the manufacturer fixed the problem, but not before a producer for the television series “Homeland” used it in the plot line for an episode in which the U.S. vice president dies after a terrorist hacks into his pacemaker and generates lethal jolts of electricity.