As the wave of cybersecurity threats to the healthcare industry continues to swell, the US Food and Drug Administration (FDA) has moved to coordinate with other agencies on how to respond in the event of a serious medical device hacking incident—such as someone killing a patient by hacking their infusion pump or pacemaker, according to The Hill.
Suzanne Shwartz, associate director for science and strategic partnerships at the FDA’s Center for Devices and Radiological Health, told The Hill that “one should consider the environment a hostile environment, there are constant attempts at intrusion,” and that manufacturers have to be “hardened” to that environment.
While electronic health records have been compromised in the tens of millions, there have been no known medical device hacking incidents that have caused patient harm. But vulnerabilities do exist. The FDA warned hospitals against Hospira’s Symbiq infusion pumps in 2015 due to a vulnerability that could be exploited via a hospital network, according to the article. And some providers might remember when Johnson & Johnson informed customers last fall that its insulin pumps, the Animas OneTouch Ping, had a security vulnerability that hackers could exploit due to the wireless controller’s connection point, The Hill reported.
“Vulnerabilities in pacemakers and insulin pumps can be exploited to cause potentially lethal attacks and we have witnessed entire hospitals in the U.S. and U.K. shutting down for multiple days to combat ransomware infections in critical systems,” Terry Rice, vice president of IT risk management and chief information security officer at Merck & Company, told the Energy and Commerce Oversight and Investigations Subcommittee this month, according to the article.
Indeed, ransomware threats continue to proliferate for the healthcare industry as well. Researchers from security firm Forcepoint have discovered a “new, off-the-shelf ransomware variant dubbed Philadelphia that is targeting the healthcare industry,” according to a Healthcare IT News article.
This new software is something that amateur hackers can purchase, and has already been used to infect a hospital in Oregon and southwest Washington, according to the article. The virus infects networks if a user double clicks on any icons in a malicious Microsoft Word file. The document is designed to look like it came from within the healthcare organization, including such familiar content as the logo of the healthcare organization.
There is currently a free decryptor for the Philadelphia ransomware, available from security firm Softpedia, but it’s a drop in the bucket when it comes to addressing healthcare’s cybersecurity woes. Analysis of Philadelphia, however, uncovered the term “hospitalspam” in the directory path, indicating that it is part of an ongoing hospital spear-phishing campaign. According to the researchers, “this may signify the start of a trend wherein smaller ransomware operators empowered by ransomware-as-a-service platforms will start aiming for this industry, ultimately leading to even bigger and diversified ransomware attacks against the healthcare sector,” Healthcare IT News reported.
And while medical device hacking still seems like the stuff of a television drama script, experts warn that more very real threats lie on that horizon as well. Because FDA premarket guidance directs that “medical device security is a shared responsibility between stakeholders, including healthcare facilities, patients, providers, and manufacturers of medical devices,” the groundwork is there to assert that manufacturers need to step up and sharpen device security.
In the meantime, the key word for the industry is vigilance.
Sarah Sheber is assistant editor and web editor at Journal of AHIMA.