Cyberattacks are accelerating worldwide and the U.S. health care system is dangerously unprepared to defend itself, or its patients.
In the past two months, thousands of computers of the nation’s No. 3 pharmaceutical company, Merck, seized up amid a global cyberattack, cutting into production of medicines. The same rogue digital worm crippled a hospital system north of Pittsburgh, Pennsylvania.
From insulin pumps and defibrillators, and on to expensive CT scanners and MRI machines, medical devices are increasingly connected to networks. Patient medical records are online. When networks go down, physicians say it is like operating in the dark.
“It’s going to get worse,” said Chris Wysopal, cofounder and chief technology officer at Veracode, a Burlington, Massachusetts, cybersecurity firm. Wysopal pointed to fallout from the WannaCry digital worm that swept the globe in March and the Petya malware that hit in June, leaving collateral damage in the health care sector.
Cybersecurity in the health care sector — which employs 9 percent of the U.S. workforce and represents a sixth of the nation’s economy — “needs immediate and aggressive attention,” a task force mandated by Congress warned in June.
Indeed, security experts expect that the quickening pace of hackers’ attacks will soon affect health care. And those who have studied health care’s specific vulnerabilities worry that hackers — working for enemy states or cybercrime groups — could train their digital sights directly on U.S. hospitals, health care networks and medical devices.
“We’re going to have our digital D-Day, our cyber D-Day, if you will, in medical, and there’s going to be patients that die. It’s going to be a big deal,” said Dr. Christian Dameff, an emergency room physician and expert on cyber vulnerabilities.
Doctors like Dameff, who recently co-led a summit at the University of Arizona College of Medicine on medical device hacking, are gaming out scenarios of types of attacks that could impact the health care system. Among the scenarios experts predict are possible:
- A malicious worm rockets through a particular type of medical device, say, an infusion pump, and hundreds, maybe thousands, of patients collapse.
- Hackers determined to collect ransom or sow destruction attack the networks of hospitals in an entire geographic region, depriving physicians of electronic medical records and forcing evacuation of critically ill patients over hundreds of miles.
- A terror attack on a metropolitan area coincides with a hack against the city’s hospitals. Just when emergency medical care is most needed to deal with victims, the health sector finds itself crippled.
Hacking of medical devices is literally the stuff of Hollywood. In the second season of the series “Homeland” on Showtime in late 2012, a U.S. vice president is killed by manipulation of his pacemaker. A year later, former Vice President Dick Cheney acknowledged that he’d disabled his pacemaker’s wireless capabilities to thwart any possible assassination attempt.
The plot twist reflected what security researchers had already discovered.
When Jay Radcliffe, an IBM senior threat intelligence analyst with Type 1 diabetes, looked into the security of his own insulin pump, “what I found was really kind of shocking.”
Operating remotely, he discovered that he could turn the pump on and off, and “I could change all the insulin settings so instead of giving one dose of insulin, I would give 10 or 50.”
In short, Radcliffe discovered that hackers tinkering with the pump could kill him.
Recalling that early research in 2011, Radcliffe, speaking at a roundtable in Las Vegas at a DefCon hacker conference late last month, said the threat against current generation insulin pumps is “very low” because they require hackers to be in close proximity to the devices and manufacturers, worried about facing reports of vulnerabilities, hustle to upgrade security.
But Radcliffe, who now works for Rapid7, a Boston cybersecurity firm, said medical and scientific advances continue to outpace the ability of companies to keep their devices secure.
“The message right now is, yeah, this isn’t going out and kill people like on ‘Homeland.’ But it will in the next generation,” Radcliffe said.
Still, manufacturers resist acknowledging any vulnerabilities. When St. Jude Medical, a St. Paul, Minnesota, maker of cardiac implants, was hit by short sellers last year over charges that its devices were vulnerable to cyberattack, it hit back with a defamation lawsuit.
Most hospitals have a plethora of devices – monitors, infusion pumps, glucose meters, ventilators, and scans – which come to an average of 10 to 15 medical devices per hospital bed in the United States, most of them connected to networks.
“All of these devices are connected today and they are all giving readouts of patients,” said Cathie Brown, vice president of governance, risk, and compliance for Impact Makers, a Richmond, Virginia, consultancy.
Most devices are not interoperable, creating a mosaic of software challenges. Some machinery, like CT scans and MRIs that can cost upwards of $300,000 a piece, use older, often vulnerable software. Replacing them is out of the question for cash-strapped hospitals.
Even large hospitals devote little to cybersecurity, often having only one tech or two who work with manufacturers to do upgrades but tend little to broader security issues.
“Many hospitals are interconnected now. And so an attack could be launched at one hospital, code could be planted, lying dormant, until a kill switch went off, and it would spread like wildfire,” Brown said.
A hacking group may eventually seek to target a network of hospitals.
“Cyberattacks are very scalable. You can go from one hospital to 500 hospitals with much less effort than it takes to attack 500 hospitals physically,” said Dameff, the physician. “You can see that these risks, they explode.”
The May 12 WannaCry ransomware attack – which locked down some 150,000 computers around the world – had a calamitous impact on Britain’s National Health Service, knocking out 48 hospitals and clinics for days.
In a mass outage affecting hospitals in a region, delays in care would affect not just high-risk heart and stroke patients but also potentially thousands of other patients with conditions such as allergies whose electronic medical records were suddenly unavailable to physicians.
“If the electronic medical record went down, and this patient was in a coma in the ICU and I didn’t have any physical paper documentation of his allergies, which is often the case now … then I could inadvertently administer a medication that a patient is allergic to,” Dameff said.
He added: “In a disaster situation, we would have dozens and dozens of these types of events, all of which would impact patient mortality.”
The realization that cyberattacks can have such broad impact in the health care sector may be animating cyber criminals.
“Some of these attacks are like ringing the dinner bell for adversaries,” said Beau Woods, deputy director of the Cyber Statecraft Initiative at the Atlantic Council, a think tank in Washington. “Once they know they can and it’s that easy, at that point it becomes a race.”