Suzanne Schwartz, FDA
Yes, Cheney's pacemaker cyber attack fears were credible
October 24, 2013
by Carol Ko, Staff Writer
Former vice president Dick Cheney made headlines this week after admitting in a 60 Minutes interview that he disabled his pacemaker's Wi-Fi in 2007 to thwart terrorists who might try to hack into it and kill him.
Though this scenario sounds like something out of a science fiction movie (an episode of the Showtime series "Homeland" featured a similar plot line), it turns out these fears aren't unfounded.
In 2008, computer scientist Kevin Fu, now at the University of Michigan, demonstrated in a research lab that he could hack into a combination heart defibrillator and pacemaker to induce potentially fatal electric jolts.
Last year, researchers at computer security firm McAffee claimed they'd found a way to hack into an insulin pump to make it release 45 days worth of insulin in one go.
And finally, security analysts Terry McCorkle and Billy Rios of Cylance discovered a hard-coded password vulnerability affecting over 300 devices across 40 vendors that could be exploited to change critical settings or modify the device. They alerted the U.S. Food and Drug Administration to their findings.
Devices affected included ventilators, drug infusion pumps, external defibrillators, patient monitors, and laboratory and analysis equipment.
The agency took action by communicating with the vendors identified in the study and holding a stakeholder call in which their anonymity amongst each other was maintained.
However, it took some heat when it rebuffed hospital security officers' requests to access the list of implicated devices. "We were not going to give out that information publicly," said Suzanne Schwartz, director of emergency preparedness/operations & medical countermeasures at the CDRH/FDA, in a web conference call hosted by ECRI Institute.
Schwartz explained that if Rios and McCorkle had wanted to invest more effort, they could have identified thousands of more devices with similar vulnerabilities.
"The lesson is not to point fingers at one particular manufacturer or system but rather to view this as a call to action to keep our shops in order," she said.
Blame game
Of course, part of the problem with medical cybersecurity is that there's no single entity in charge of keeping those shops in order, so to speak.
In the past, hospitals and manufacturers have pointed fingers at each other for hampering cybersecurity efforts. Manufacturers claim that hospitals don't want to pay for it, while hospitals claim manufacturers don't provide devices they can secure.
Some manufacturers even claim that the FDA itself is responsible for outdated security, since they say patch updates would require 510k re-certification of the device.
"We need to debunk the myth that FDA won't let us apply a patch. We're looking to hospitals to be proactive," said Schwartz, who said the device industry must do their part by building security into device design, while heath care facilities need to perform impact analyses and risk assessments.
"I've spoken to the FDA about this issue and they have advised me that device manufacturers have a responsibility to secure their products and there is no 510k re-certification needed when security patches are added," John Halamka, CIO of Beth Israel Deaconess Medical Center, wrote in a blog post this February.
Regardless of who's at fault, one thing is clear: all parties in the health care chain need to be active participants in maintaining cybersecurity.
Silos
Even within hospitals, cybersecurity will require a greater degree of cross-departmental teamwork and cooperation than ever before.
Because responsibility for device cybersecurity straddles the line between biomedical engineers and health IT, both departments must work together to ensure that hospital devices are adequately protected against cyber threats.
But challenges abound when securing medical devices in hospitals. "Many legacy operating devices could be all over the board in terms of systems — some are still on Windows 95," said Anthony Coronado, biomedical engineering manager at Methodist Hospital of Southern California, which recently won an award from the ECRI Institute for its cybersecurity program.
The first step toward device cybersecurity is performing a comprehensive risk assessment to define security vulnerabilities, according to Coronado.
Coronado and his team then tried to assess whether these devices could be included in the hospital's IT domain to take advantage of its safeguards. Since certain IT domains require Windows 7 or higher, outdated devices may need to be upgraded to join the network.
Ultimately, implementing such a program requires the cooperation of more than just the hospital's biomed and IT team — hospital administrators and purchasers also need to buy in to the program and make room for operation system updates in their budgets, consult with the IT and biomed staff when purchasing devices, and craft IT system management policies for all departments.
New territory
Concerns around cybersecurity are especially relevant now that mobile medical apps are experiencing a new boom.
The FDA released its final guidance for mobile medical apps last month. "We have adopted a posture of not regulating the majority of mobile medical apps — only those that are really within what would be considered to be an area of concern in terms of patient safety," said Schwartz.
The guidance affects devices that turn the smartphone into a medical device or are intended to be used as an accessory alongside a medical device.
Schwartz said that those apps would fall under the same cybersecurity framework of expectation as any other medical device.
Though this scenario sounds like something out of a science fiction movie (an episode of the Showtime series "Homeland" featured a similar plot line), it turns out these fears aren't unfounded.
In 2008, computer scientist Kevin Fu, now at the University of Michigan, demonstrated in a research lab that he could hack into a combination heart defibrillator and pacemaker to induce potentially fatal electric jolts.
Last year, researchers at computer security firm McAffee claimed they'd found a way to hack into an insulin pump to make it release 45 days worth of insulin in one go.
And finally, security analysts Terry McCorkle and Billy Rios of Cylance discovered a hard-coded password vulnerability affecting over 300 devices across 40 vendors that could be exploited to change critical settings or modify the device. They alerted the U.S. Food and Drug Administration to their findings.
Devices affected included ventilators, drug infusion pumps, external defibrillators, patient monitors, and laboratory and analysis equipment.
The agency took action by communicating with the vendors identified in the study and holding a stakeholder call in which their anonymity amongst each other was maintained.
However, it took some heat when it rebuffed hospital security officers' requests to access the list of implicated devices. "We were not going to give out that information publicly," said Suzanne Schwartz, director of emergency preparedness/operations & medical countermeasures at the CDRH/FDA, in a web conference call hosted by ECRI Institute.
Schwartz explained that if Rios and McCorkle had wanted to invest more effort, they could have identified thousands of more devices with similar vulnerabilities.
"The lesson is not to point fingers at one particular manufacturer or system but rather to view this as a call to action to keep our shops in order," she said.
Blame game
Of course, part of the problem with medical cybersecurity is that there's no single entity in charge of keeping those shops in order, so to speak.
In the past, hospitals and manufacturers have pointed fingers at each other for hampering cybersecurity efforts. Manufacturers claim that hospitals don't want to pay for it, while hospitals claim manufacturers don't provide devices they can secure.
Some manufacturers even claim that the FDA itself is responsible for outdated security, since they say patch updates would require 510k re-certification of the device.
"We need to debunk the myth that FDA won't let us apply a patch. We're looking to hospitals to be proactive," said Schwartz, who said the device industry must do their part by building security into device design, while heath care facilities need to perform impact analyses and risk assessments.
"I've spoken to the FDA about this issue and they have advised me that device manufacturers have a responsibility to secure their products and there is no 510k re-certification needed when security patches are added," John Halamka, CIO of Beth Israel Deaconess Medical Center, wrote in a blog post this February.
Regardless of who's at fault, one thing is clear: all parties in the health care chain need to be active participants in maintaining cybersecurity.
Silos
Even within hospitals, cybersecurity will require a greater degree of cross-departmental teamwork and cooperation than ever before.
Because responsibility for device cybersecurity straddles the line between biomedical engineers and health IT, both departments must work together to ensure that hospital devices are adequately protected against cyber threats.
But challenges abound when securing medical devices in hospitals. "Many legacy operating devices could be all over the board in terms of systems — some are still on Windows 95," said Anthony Coronado, biomedical engineering manager at Methodist Hospital of Southern California, which recently won an award from the ECRI Institute for its cybersecurity program.
The first step toward device cybersecurity is performing a comprehensive risk assessment to define security vulnerabilities, according to Coronado.
Coronado and his team then tried to assess whether these devices could be included in the hospital's IT domain to take advantage of its safeguards. Since certain IT domains require Windows 7 or higher, outdated devices may need to be upgraded to join the network.
Ultimately, implementing such a program requires the cooperation of more than just the hospital's biomed and IT team — hospital administrators and purchasers also need to buy in to the program and make room for operation system updates in their budgets, consult with the IT and biomed staff when purchasing devices, and craft IT system management policies for all departments.
New territory
Concerns around cybersecurity are especially relevant now that mobile medical apps are experiencing a new boom.
The FDA released its final guidance for mobile medical apps last month. "We have adopted a posture of not regulating the majority of mobile medical apps — only those that are really within what would be considered to be an area of concern in terms of patient safety," said Schwartz.
The guidance affects devices that turn the smartphone into a medical device or are intended to be used as an accessory alongside a medical device.
Schwartz said that those apps would fall under the same cybersecurity framework of expectation as any other medical device.