Health technology: Are medical devices protected?

Once a hacker gets through a hospital’s firewall, they don’t often come up against any other lines of defense protecting medical devices.

BGU’s Prof. Amos Katz (photo credit: DANI MACHLIS)
BGU’s Prof. Amos Katz
(photo credit: DANI MACHLIS)
I thought it was a really bad idea that the vice president be fitted with a medical device that anyone in a nearby hotel room or stairwell could hack into,” said former US vice president Dick Cheney’s cardiologist on 60 Minutes, an investigative TV program, when asked about his decision to disable Cheney’s wireless pacemaker. Then the doctor looked at Cheney, who was sitting next to him and uttered, “I was afraid someone would try to kill him.”
This interview took place back in 2007, when Cheney was still actively serving as vice president, but the concern persisted well into the next decade as this horrific scenario continued to ignite the public’s imagination. In fact, in 2012, the popular TV show Homeland dedicated an episode to this exact situation, in which a hacker takes over the vice president’s pacemaker and succeeds in wreaking havoc.
Today, 12 years after the Cheney interview, this phenomenon is still a concern in the complicated reality in which we live. “Today, it’s still pretty complicated to hack into someone’s pacemaker, since there are so many levels of defense,” says Prof. Amos Katz, a cardiologist and dean of Ben-Gurion University of the Negev’s Faculty of Health Sciences, who attended the recent CyberMed conference in Tel Aviv. “In the Homeland episode, an attempt is made to kill the vice president by hacking into his pacemaker. But I do not know of any attempts that were actually successful, except for a few claims that have not been corroborated.”
Actifile co-founder Guy Bavly. (Credit: MENASHE HERZLIYA)
Actifile co-founder Guy Bavly. (Credit: MENASHE HERZLIYA)
Nonetheless, the US Food and Drug Administration has in the past required pacemaker manufacturers to improve their cybersecurity protection out of fear that the danger is bona fide. “This threat is real,” says Katz. “Hackers are constantly developing new methods, but to hack into a specific pacemaker you have to invest a lot of resources. Is it possible? Yes. Nothing is impossible, so we need to be wary and prepared for every scenario.”
Prof. Katz spoke about this issue at the CyberMed conference that took place in January. Other topics discussed at the conference included cybersecurity in aviation, finance and healthcare.
Katz is less concerned about pacemakers and defibrillators being hacked into. “Each device has a unique code,” Katz explains. “For example, a hacker can’t just hack into all pacemakers and change the programming code. It won’t work. He would need to sit and find a way into each device separately, and locate a specific frequency and its form of recognition. Only then could he have access to the code. So, although it’s not impossible, it is pretty intricate.”
Nonetheless, this is not the case with other areas in the medical field, as people around the world learned the hard way on May 12, 2017, with the onset of the WannaCry ransomware attack. “This incident changed the entire industry,” says Jonathan Langer, CEO of Medigate, a cybersecurity company. “We learned first-hand from this experience how vulnerable we are.”
WannaCry’s ransomware simultaneously infected more than 230,000 computers in 150 countries. The cryptoworm, which encrypted information on computers in 28 languages, demanded payment of 600 bitcoins in exchange for data retrieval. “The attackers had identified the vulnerability in the Microsoft Windows operating system,” explains Langer. “Microsoft quickly released emergency patches, which prevented WannaCry from spreading any further. The problem with applying the patches to medical devices is that they need to continue operating, which makes fixing them difficult. Some actions can be done manually, such as the recording of blood test results. This attack was extremely disruptive for medical operations.”
This attack made it clear how easy it was for medical information to reach the wrong hands, especially since hospitals can’t just turn off medical devices that have been attacked. As a result, many cybersecurity companies began focusing on the medical device industry. “We haven’t heard of any attacks on medical centers,” says Langer, “but after the WannaCry attack, people began wondering what would happen if hackers tried to gain access in order to alter medicine dosages or results from tests. If someone succeeded in doing this, they could cause substantial damage. That’s why people in the medical industry began to panic.”
Medigate CEO Jonathan Langer. ( Credit: MAXIM DINSHTEIN)
Medigate CEO Jonathan Langer. ( Credit: MAXIM DINSHTEIN)
The data speaks for itself. In 2017 alone, hackers succeeded in accessing medical databases 477 times, which led to the loss of information from more than 500 patients. It took hospitals between 10 months and a year on average to repair the damage. “Some of the larger attacks brought hospitals to a standstill,” says Guy Bavly, co-founder of Actifile, a medical cybersecurity company. “This is something organizations should be preparing for before it happens, since many of the attacks that take place could have been prevented.”
Medical information is worth more on the Darknet. “Social security and telephone numbers are worth only a few dollars each, whereas medical information is worth $408 on average. This industry is worth on average $3.6 million.”
How worried should people be following a hospital visit?
“They should be wary,” says Leon Lerman, CEO of Cynerio, a medical cybersecurity company. “I work a lot with hospitals and I see what happens.
There’s been improvement, but they are way behind financial, insurance and hi-tech institutions when it comes to cybersecurity. They have not yet budgeted large amounts of money to protect themselves, and as a result, hospitals are extremely vulnerable to cyberattacks. In general, people should be very careful when they log onto public networks.”
“I agree,” says Langer, “I’m not saying we should be in panic mode, but there is great reason for concern. Once a hacker gets through a hospital’s firewall, they don’t often come up against any other lines of defense protecting medical devices. We all have anti-virus and other protections installed on our personal computers. Most medical devices don’t have such protections.”
Cynerio CEO Leon Lerman (left) with CTO Daniel Brodie. (Credit: MORI PHOTOGRAPHY)
Cynerio CEO Leon Lerman (left) with CTO Daniel Brodie. (Credit: MORI PHOTOGRAPHY)
Why are hackers so interested in medical information?
“Because it’s much easier to break into medical organizations than other industries. Israel at least has the advantage of being a small market,” says Langer, “which makes it a little easier to control and monitor. The medical system in the US is so mammoth and much more regulated, which makes implementing cybersecurity much more challenging. Each hospital has different needs, and hackers always search for the weakest link as a starting point for breaking in.”
Ironically, Lerman adapted a method from the field of psychology to help figure out how to handle machines that cannot be disconnected from patients. “I try to understand the device’s behavior and with whom it connects. That way, when any abnormal activity occurs, our machine recognizes it and automatically blocks it. And I can do all of this without touching the device. For example, if an unknown device makes contact with a respirator, that is immediately noted and the connection is cut. I call this our surgical solution.”
Translated by Hannah Hochner.