Medical Devices: Sitting Ducks for Dangerous Hackers

In the fall of 2013, the Mayo Clinic hired a team of professional computer investigators from some of the biggest cybersecurity firms in the country. Billy Rios was one of the “white hat” hackers, meaning he's hired to break into company computers to identify vulnerabilities. Researchers split into teams and hospital officials at Mayo told them to do their worse with 40 different medical devices. Every day, every device was hacked and Rios knew it was worse than they had ever imagined. The Mayo Clinic went on to develop a set of security requirements for its medical device suppliers.

While this is an enormously important step for Mayo, most hospitals do not have the resources to do that and more often than not, hospitals are at least a decade behind the standard security curve. Rios, a former U.S. Marine, has tampered with weapons systems and even with the electrical grid, hacking into the largest public utility district in Washington to show officials how they might improve public safety. From the Pentagon to Google, Rios holds an impressive background and is now making waves in the highly lacking cybersecurity of medical devices, which continues to threaten the healthcare space.
After the Mayo assignment, Rios ordered a Hospira Symbiq infusion pump that he found on EBay for about $100. Common to any hospital room, infusion pumps automatically deliver intravenous drips or injectable drugs into a patient’s bloodstream. Hospira, a company that was bought by Pfizer this year, explains that their pumps improve patient safety by automating intravenous drug delivery, which it says accounts for 56% of all medication errors. Rios discovered that it was possible to remotely take over the machine and so he sent his findings to the DHS, which forwarded it to the FDA and then to Hospira. Months passed and not one of the organizations had taken any action and the FDA seemed, “to be waiting for someone to be killed before they can say, ‘OK, yeah, this is something we need to worry about,” Rios says.

All devices, systems, and clinical applications are being compromised in hospitals everywhere and unfortunately no one seems to care. Jay Radcliffe, a researcher and a diabetic, demonstrated how he could hack his Medtronic insulin pump and make it deliver a potentially lethal dose. Last year, analysts with TrapX Security installed software in more than 60 hospitals to trace medical device hacks. After six months, TrapX concluded that all of the hospitals contained medical devices that had been infected by malware, which meant hackers could easily steal personal medical data. TrapX analysts traced the hacks to a server in Eastern Europe believed to be controlled by a known Russian criminal syndicate. 

After a recent hospital stay, Rios made a video to show how easily infusion pumps could be sabotaged and in July, the FDA issued an advisory insisting that hospitals to stop using the Hospira Symbiq infusion pump. However, it didn’t force the company to fix the machines that were already in hospitals and clinics, and it didn’t require the company to prove that similar cybersecurity flaws didn’t also affect its other pump models. For some researchers, the advisory felt like an empty victory. However, device makers and hospital administrators feel that the staged hacks threaten to scare the public away from technologies that do far more good than harm. At any rate, Rios' most recent work has attracted many more researchers to the field. And as more vulnerabilities are identified, more vigilant security will be demanded of device makers and administrators. 

To read more from our staff click here

To read more from Bloomberg click here