“The good news is, we haven’t seen actual active threats or deliberate attempts against medical devices yet,” said Kevin Fu, a University of Michigan researcher who has made his career testing the vulnerability of medical systems.
The bad news is that hospital medical devices may be vulnerable to hackers simply because they can be the weak link that gives a criminal access to a hospital’s data system—especially if the devices haven’t been updated with the latest security patches, said Ken Hoyme, a scientist at Adventium Labs, a cybersecurity firm in Minneapolis.
In the real world, he said, a hacker is more likely interested in stealing records he can sell than in harming a patient.
“There are not that many bad … guys whose goal in life is to go and randomly mess with patients in hospitals,” Hoyme said. “They want money, not to shut off the ventilator of a particular patient.”
Hospitals are targets because they collect so much data, from patients’ Social Security numbers and financial information, to diagnosis codes and health-insurance policy numbers.
Radcliffe estimates that medical-identity information is worth 10 times more than credit-card information—about $5 to $10 per record on the black market, compared to 50 cents per account for credit-card information.
Crooks can use it to apply for credit, file fake claims with insurers, or buy drugs and medical equipment that can be resold.
And unlike the victims of credit card theft, those with stolen medical identities might not know for months or even years, giving the thieves more time to use their information.
Yet there are few cybersecurity standards for medical devices.
In October, the FDA issued guidance outlining what security features developers should bake into their products when seeking approval for a new device.
The guidelines, which aren’t binding, say that when seeking approval for a new device, manufacturers should detail cybersecurity threats they considered and create better ways to detect when it might have been hacked.
They should also build in protections, such as limiting access to authorized users and restricting software updates only to products with authenticated coding.
While a good start, some security experts say the guidelines should be binding. Others fear that giving them the force of regulation could be more harmful because they would become outdated quickly.
Nonetheless, the FDA’s guidance has, in effect, changed the conversation among device makers from, “‘Do I believe this is a real threat?’ to ‘What do I have to do to satisfy the FDA?’” said Hoyme.
By the end of the year, the agency is expected to issue similar recommendations for devices already on the market.
One reason many existing devices might be vulnerable is they run on defunct operating systems like Windows XP, which Microsoft stopped supporting in April, meaning there won’t be any new security patches. Other, newer devices may have built-in passwords that are difficult to update. Gaining access to them can be fairly easy, which could make them more vulnerable to attack, researchers say. In addition, sometimes, a password is intentionally disabled so it’s easily accessible to medical staff in an emergency.