Today’s digital health care systems are facing relentless cyberattacks, which are targeting health care organizations as well as the medical devices they use.
The critical nature and size of the U.S. health care market — an estimated $3.5 trillion in 2020, with substantial growth anticipated — make it a favorite target of hackers. Vanson Bourne conducted a survey for Sophos in early 2021, polling 5,400 IT decision makers across 30 countries. The responses revealed that 34% of health care organizations were attacked by ransomware the previous year, and 65% were victimized in some way. Ransomware successfully froze the data of 54% of the IT systems. Some 44% of the affected firms used backups to restore their data, while 34% ended up paying the ransom to get their data back.
Other studies are even more alarming. Black Book Research indicated that more than 93% of health care organizations have been hacked since Q3 2016, and 57% had more than five data breaches during the same timeframe.
In 2020, health care hackers demanded $4.6 million on average for each attack. This number is expected to grow as hackers become more and more aggressive. Overall, health care data breaches cost the industry $4 billion.
The impact of these attacks is significant. For example, Universal Health Services (UHS), a Fortune 500 health care organization based in King of Prussia, PA, was attacked by ransomware in September 2020. UHS operates 400 hospital facilities in the U.S. and U.K., and the hackers shut down computer access phone systems and electronic health records for all of them. The fix took three weeks, and UHS reported a pretax loss of $67 million for the year.
In another case, hackers blocked access to the University of Vermont Medical Center’s data. Employees were unable to retrieve electronic health records (EHRs) and payroll programs. Surgeries had to be rescheduled. Lost revenue was estimated at $50 million.
Cyberattacks come in different forms and styles. Ransomware often grabs the headlines. However, hackers also use many other kinds of malware, installing unwanted software to cause disruption and/or damage.
Polymorphic viruses, spyware, stealth viruses, and trojan horse attacks all fall under the category of malware. Hackers can also wreak havoc with denial of service (DoS) and distributed denial of service (DDoS) attacks, phishing, man-in-the-middle attacks, eavesdropping, and more.
“The health care sector faces some unique challenges,” said Mark Knight, director of architecture product management at Arm. “Some of our most personal data needs to be protected, but making that data securely available to authorized practitioners and equipment is vital to improve health care outcomes and increase the efficiency of busy health care services. At the same time, the volume of data held about us is increasing rapidly, and the potential benefits of technology in health care are enormous. When looking to protect against potential attacks, it’s worth noting that the solutions used in health care are similar to those used in other industries that have a critical dependency on information technology.”
Fig. 1: Rising threats to health care. Source: Center for Internet Security
Medical device vulnerability
While accounts of medical device hacking may resemble movie plots, the hacking is all too real, and many medical devices have been shown to be susceptible to cyberattacks. That includes drug-infusion and insulin pumps, pacemakers, and implantable cardioverter defibrillators (ICDs).
In late 2019, the U.S. Food and Drug Administration issued an “URGENT/11″ warning to alert patients, health care providers, and facility staff, as well as manufacturers, about cybersecurity vulnerabilities introduced by a third-party software component. A security firm has identified 11 vulnerabilities, named “URGENT/11,” which allow attackers to remotely control the medical device and modify its normal functions. Some versions of a number of popular operating systems may be affected, according to the FDA, including:
- VxWorks (by Wind River)
- Operating System Embedded (OSE) (by ENEA)
- INTEGRITY (by Green Hills)
- ThreadX (by Microsoft)
- ITRON (by TRON Forum)
- ZebOS (by IP Infusion)
While not every attack affects patients’ health, hackers may want to steal data for financial gain. That can happen in a number of ways, such as reverse engineering of a single-use medical device by creating a workaround to defeat that single-use feature.
“The principal attack vectors focus on cybersecurity soft spots, including internet-connected PCs, laptops, tablets, and phones, utilizing phishing attacks and user-installed malware,” said Scott Best, director of anti-tamper security technology at Rambus. “A secondary attack vector aims at electronic health care devices, such as glucose monitors, ultrasound transducers and other diagnostic peripherals. These devices are as susceptible as laptops are to intrusion and malware, but they’re additionally susceptible to cloning and re-manufacturing attacks. In that context, there’s not only direct risk to patient safety, there’s also risk to the revenue streams of leading medical device manufacturers.”
In 2017, the FDA announced the recall of some pacemakers made by Abbott (formally known as “St. Jude Medical”). The reasons include early and fast battery drain and too little time between the first battery depletion warning by the elective replacement indicator (ERI) and the device’s end of service (EOS). If pacemakers with these drawbacks are hacked, the attacker potentially can drain the battery by setting the device in a constant transmission mode. In addition, hackers could exploit the pacemaker’s flaws to demand ransom.
Similar to other electronic designs, medical devices use software, chips, and other electronic components. As with any connected electronics, it is not uncommon for a medical device to have one or more vulnerabilities, which may show up at any time throughout their lifecycles. But for medical devices, these threats have safety implications.
“For medical devices, security is coming into play because of safety,” said Andreas Kuehlmann, CEO of Tortuga Logic. “For companies making those devices, it’s actually not about the cost of implementing security. Security at the end of the day involves an indirect business decision that includes things like liability and potential recalls. But with medical, security has an indirect impact on safety, and safety is extremely well understood. So whether it’s privacy, or medical record protection under HIPAA, there is a direct business impact.”
Dealing with threats
Cybersecurity in health care includes the practice of the commonly accepted confidentiality, integrity, and availability (“CIA triad”) principle:
- Confidential data only can be accessed or modified by authorized users.
- The integrity of data should be managed and stored in such a way that nobody can change or modify it accidentally or maliciously.
- Data should be available to authorized users. In the case of a ransomware attack, data should be locked up and deny unauthorized users.
To achieve the CIA triad requires several basic steps.
Cybersecurity mindset: Health care organizations need to develop a top-down cybersecurity mindset, because effectively protecting data and equipment is a multi-device, multi-system challenge. That requires an overall end-to-end strategy, as well as a recovery plan in case of an attack, with regular staff training, proper procedures, such as good password practices for different systems. The goal is to keep damage to a minimum and recover in the shortest possible time.
Security by design: IT access should be tightly controlled and limited. Only authorized users and authenticated devices should have access to connections and data. For new IT systems, the application layer (web, cloud applications, mobile connection) must have built-in security.
“Attackers will find any weakness, so it is hard to overstate the challenge,” said Arm’s Knight. “A key to all security is strong authentication of users and devices. It’s essential that devices can be uniquely identified, and that the state of each device (for example, the software or firmware that’s installed), can be inventoried, measured and verified. This can ensure that a rogue or compromised device is identified before it poses a threat to the integrity or confidentiality of data or the health care network as a whole. Standards like PSA Certified enable device manufacturers to demonstrate their products can be identified and authenticated throughout their life cycle, providing a foundation of assurance that enables trusted deployments at scale. In addition, advanced isolation technologies that support the confidential computing paradigm can be used, allowing increasingly strong compartmentalization within health care systems. Stronger isolation will reduce the risk from privileged users and make it much harder for attackers who successfully compromise one application to use that asset as a vector to attack another application or system.”
Arm recently introduced its Confidential Compute Architecture (CCA), which shields portions of code and data from access or modification while in-use, even from privileged software.
Security controls and checkups: Proven cybersecurity technology for both hardware and software is available, but preventing attacks may come down to more basic actions, such as promptly updating software, and regularly hunting for vulnerabilities and malicious software. Many attacks occur due to delays in installing known patches. In addition, security checks should be done for all third-party software, especially those coming from the supply chain. Sometimes infected software from a supplier ends up infecting entire user IT systems.
Protected health information, or PHI, contains patient medical records and other private information. One of the goals of the “CIA triad” is to prohibit PHI data breaches, as defined by the HIPAA Privacy Rule, which requires appropriate measures to safeguard PHI. It also sets limits and conditions on using and disclosing such information without an individual’s authorization. To achieve data security, health care organizations must, at a minimum, encrypt PHI in storage or in transit, and store PHI on secure internal systems or at secure locations that can be accessed only by authorized users.
Minimizing medical device vulnerability: For health care organizations it is important to install medical devices from reputable suppliers with good security knowledge and practices.
For medical device manufacturers, it is important to observe all the security design rules and to integrate security at the earliest stages of the design. This includes zero trust and secure boot, using encryption algorithms to guard against counterfeit ICs, limiting data collection, and keeping data for the shortest possible time to minimize exposure.
“Medical device manufacturers have a responsibility to develop devices with secured software and hardware from the ground up,” said Steve Hanna, distinguished engineer at Infineon Technologies. “Secured hardware is needed to reliably protect patient safety and data during storage and processing. The device should include security chips that perform authentication and encryption of sensitive data, as well as generation and storage of cryptographic keys. Additionally, the security chips should check the integrity of software, machines and devices to identify manipulation and detect unauthorized changes. Only when you build all these functions on a hardware root of trust can you be confident that medical devices are secure.”
But even with the best security measures, hackers may gain access.
“Man-in-the-middle attacks are becoming more and more common,” said Thierry Kouthon, technical product manager at Rambus Security. “The increased demand for wireless medical devices provides new opportunities for hackers to engage in cyberattacks. The attacks come in many different forms, including the interception of confidential data, insertion of malicious code, session hijacking, and interruption of data transfer. Detecting man-in-the-middle attacks can be difficult. An example would be the pairing of a Bluetooth medical device. It is up to the device manufacturer to ensure security is built-in. Considerations include reducing the range of Bluetooth communication, if at all possible. The Bluetooth protocol also supports passkeys or PINs that must be inserted by the user during the pairing phase between two Bluetooth devices. This will make it more difficult for an eavesdropper to intercept traffic without knowing the passkey, and also requires a physical interface to insert the passkey.”
In December 2021, the Oregon Anesthesiology Group (OAG) announced it had experienced a cyberattack on July 11. On Oct. 21, the FBI informed OAG that it had uncovered an account belonged to HelloKitty, a Ukrainian hacking group. The account contained OAG patient and employee files. According to OAG, the data breach potentially affected 750,000 patients and 522 current and former OAG employees.
Other attacks continue, often without much public notice. But most experts also believe cyberattacks will only get worse, causing major disruptions to health care itself, revenue losses among providers, and increasingly putting pressure on hardware, software, and systems developers to design in security from the outset.
Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (2018)
U.S. FDA’s Draft Guidance for Industry and Food and Drug Administration Staff, OCTOBER 2018
Postmarket Management of Cybersecurity in Medical Devices (2016)
U.S. FDA’s Guidance for Industry and Food and Drug Administration Staff, DECEMBER 2016