By Monique Bethell
Earlier this month, Johnson & Johnson had to inform 114,000 diabetic patients that one of its insulin pumps, the J&J Animas OneTouch Ping, could be hacked. The device could be attacked, disabling the pump or alter the dosage.
Just recently, MedSec, a cybersecurity firm exposed a life threatening security vulnerability which endangered the safety of patients who own defibrillators and pacemakers manufactured by St. Jude Medical.
Hollywood Presbyterian Hospital paid a $17,000 ransom to a criminal enterprise that broke into the hospital’s system, earlier this year encrypted data, then demanded an even larger payment.
Hackers have been using this type of ‘ransomware’–a type of malware in which attackers can steal or delete the contents of users’ computers if they don’t pay a ransom–for the past 25 years. However, how, it seems, the same type of malware, can be used to hack into medical devices and equipment. Cyber experts have determined that Ransomware in medical devices is the single biggest cyber security threat for 2016, according to a recent report from research and advisory firm Forrester and reported by Motherboard.
Am I at risk?
The answer is probably… even if you are just someone whose provider uses online patient portals to access medical records. The truth is everyone is at risk because of the growing and rapidly expanding threat of hackers that can illegally access anything connected to the internet.
The video below, originally published by the Wall Street Journal provides a better overview of the security threats and vulnerabilities.
The government responds….
Earlier this year, the FDA issued a letter warning hospitals and patients that a pump commonly used to ration out proper dosing of medicine in IVs could be vulnerable to attack. Rep. Jim Langevin (D-R.I.), who co-chairs the Congressional Cybersecurity Caucus, wrote the Food and Drug Administration (FDA) to praise the agency’s draft cybersecurity guidelines for medical devices.
As noted in a statement published by the Hill.com, Langevin said, “I strongly support FDA’s efforts to improve the security of medical devices, and if finalized, the draft guidance would make substantial progress in this area,”. He further supported their progress while expressing concern about the potential for harm to patient safety if medical devices are compromised. Such concerns are equally shared by security specialists who worry that hackers can penetrate hospital firewalls and seal patient data, and control the functions of vital equipment such as medication pumps, ventilators and heart monitors.
An ever larger issue is the vulnerability of hospitals to attacks that could threaten operations, systems and infrastructure needed to save lives, particularly during an emergency situation or national crisis.
So what…now what?
So it’s clear that now even medical devices have become the target of aggressive, unethical computer hackers. Addressing the security threat posed by this vulnerability will require multiple levels of intervention.
The FDA diligently working to update its digital security guidelines and recommendations as more medical devices are connected to the Internet. Organizations that develop medical devices and technology will have to take additional measures to increase their security protocols before obtaining final approval. Physician offices, clinics, hospitals and other health care provider organizations will need to partner with cybersecurity firms to take extra steps to ensure the safety of patient data and other medical technology.
