Over the past year, several events have given legs to the growing body of concern over the potential for medical devices to be compromised by hackers. Security tests of various devices by expert hackers and security laboratories have shown that a range of devices, from implantable insulin pumps to defibrillators, pacemakers, and other medical electronics, are vulnerable to hacking. The potential for such hacking to compromise a medical device recently became reality by the spread of a malware virus, “WannaCry” ransomware, that was able to compromise a variety of medical equipment such as imaging systems and dye injectors (Wired. Published March 2, 2017.).
What has emerged is the need to protect medical devices against a two-fold cyberthreat. First is the need to protect individual patients from the potential for harm if the device itself is compromised, such as a hack into an insulin pump that resets the device to administer a fatal dose of insulin to the patient. Second, systems must be protected against being hacked through the portal of a medical device, an easy entry point to a hospital network that could lead to stealing medical records.
To that end, a number of government and non-government agencies are working together to address these risks and ultimately protect patients while securing their privacy.
Risk to Otolaryngologic Devices
Although no known vulnerability risk has been detected in medical devices used in otolaryngology, such as cochlear implants and hearing aids, the potential exists for such vulnerability.
“Any medical device that can be connected through wired or wireless means to an external device, typically for the purpose of changing control settings, can conceivably be hacked,” said Stephen L. Grimes, managing partner at medical technology consulting firm Strategic Healthcare Technology Associates, based in Swampscott, Mass. “The external device might be a controller, a computer, a thumb drive, or other remote storage device,” he added.
To date, however, no specific cybersecurity concerns have been reported for devices used by otolaryngologists, and concern over this issue is not yet widespread among the specialty, according to Kenneth H. Lee, MD, PhD, chair of the American Academy of Otolaryngology Head & Neck Surgery (AAO-HNS) Medical Devices and Drugs Committee.
He believes that the security risk to current technologies used for cochlear implants and hearing aids, such as the use of Bluetooth streaming from smart phones to adjust settings, is limited. “I don’t think there is significant concern about individuals desiring to randomly access settings of a patient’s implant or hearing aid,” he said.
For Dr. Lee, the advances in technology for otolaryngology devices are only a “big plus,” from both the patient and provider standpoints. “Having a smart phone and being able to adjust your hearing on your smart phone is a huge plus for patients and something they appreciate and find very valuable,” he said.
Any medical device that can be connected through wired or wireless means to an external device, typically for the purpose of changing control settings, can conceivably be hacked. —Stephen L. Grimes, Strategic Healthcare Technology Associates
Although the vulnerabilities of these devices to hacking is not yet on his or the Academy’s radar, he emphasized that it is something “we need to be judicious about moving forward.”
The Need for Awareness
For Grimes and other security experts who regularly consult with medical and government entities in developing guidance on cybersecurity, educating providers on the potential risks to medical devices is a top priority when it comes to helping ensure their safety. “Practitioners, including otolaryngologists, need to know that today’s new technologies often bring new cyber vulnerabilities,” he said. “To ensure safe use of the new technologies, practitioners should question security and clinical engineering experts to verify that all stakeholders in the process understand the issue and are taking the appropriate precautions.”
Scot Copeland, a medical IT network risk manager at Scripps Health in San Diego, also emphasized the need for otolaryngologists, along with all providers, to be aware of cybersecurity issues in their own environment. “The cybersecurity issues aren’t as prevalent in the ENT discipline as elsewhere, but the basics still apply, and awareness is key to identifying the issues as new products and implementation arise,” he said.
An example of a new technology that addresses these new cybersecurity concerns is the new Nucleus 7 Sound Processor for cochlear implants, manufactured by Cochlear Ltd. and approved by the FDA in June 2017. According to Jan Janssen, senior vice president of research and development at Cochlear, the processor is designed to prevent unauthorized use of the device, or a malicious attack on it. Janssen also emphasized that the processor “had to meet the applicable cyber security guidelines” by various regulatory bodies around the world to obtain approval.
Among the basics of cybersecurity that otolaryngologists and other providers should pay attention to are such things as using strong passwords, keeping software and operating systems as up to date as possible, using anti-malware where possible, replacing older equipment that can’t be kept current, and following manufacturer guidance on safety and security. In other words, “adhering to proper cybersecurity hygiene,” he said.
Mary Beth Nierengarten is a freelance medical writer based in Minnesota.
Hospitalists as Test Subjects
The Department of Homeland Security warned providers in July 2017 about several cybersecurity vulnerabilities in molecular imaging products manufactured by Siemens.
The vulnerabilities, which give an attacker the ability to access the devices remotely, have been found in four devices running on Windows XP and Windows 7. Siemens said it is updating the affected products and recommends running the devices on a dedicated network protected by a firewall or disconnecting the devices from the network and reconnecting only after a patch has been installed.
Senate Bill Targets Medical Device Cybersecurity
In August, U.S. Senator Richard Blumenthal (D-CT) introduced a new bill to the Senate that would add requirements for medical device cybersecurity, including mandated testing and better remote access protections.
The Medical Device Cybersecurity Act of 2017 seeks to improve medical device security by:
- Increasing transparency of medical device security by creating a “cyber report card” for devices and mandating testing prior to sale;
- Bolstering remote access protections for medical devices in and outside of the hospital;
- Ensuring that crucial cybersecurity fixes or updates remain free and do not require FDA recertification;
- Providing guidance and recommendations for end-of-life devices, including secure disposal and recycling instructions; and
- Expanding the DHS Computer Emergency Readiness Team (ICS-CERT) responsibilities to include the cybersecurity of medical devices.
“Without this legislation, insecure and easily exploitable medical devices will continue to put Americans’ health and confidential personal information at risk,” said Sen. Blumenthal in an announcement.
The bill is supported by the College of Healthcare Information Management Executives and the Association for Executives in Healthcare Information Security.