How hackers are approaching medical cybersecurity

PHOENIX—Within minutes of each other, two patients were wheeled into the hospital emergency department with emergency haste.

The first patient, a woman in her early 70s, was suffering from what appeared to be a stroke: She was weak on the left side of her body and had difficulty speaking.

The attending physician, Dr. Paul Pugsley, called for a CT scan to see if the stroke was caused by bleeding of the brain or a blood clot. If from a clot, he would be able to safely administer the clot-busting medication alteplase to break it up. The faster that alteplase is given in those cases, the better the chances the patient has of literally walking away.

The second patient was experiencing a crushing chest pain. Dr. Pugsley suspected a heart attack and called the catheterization lab to have images made of the man’s arteries so he could identify which artery, if any, was blocked. But something beyond the patient’s condition was wrong.



READ MORE ON MEDICAL CYBERSECURITY


The hospital technology these situations called for was not properly functioning. The technicians running the cath lab and the CT scanner said their computers were unusable, their screens showing only one thing: a demand for bitcoin. Their machines had been knocked offline by ransomware, just as these patients needed them most.

Dr. Pugsley had moments to decide what to do. The stroke patient had returned to the emergency room, and her symptoms were getting worse. The doctor and his team stabilized her breathing, then sent her to the neuro-intensive care unit for further monitoring. Likewise, he stabilized the heart attack patient with a ventilator before transferring him to another hospital.

Although each patient might ultimately suffer from dire complications related to the hospital’s technological woes, neither died. And behind a one-way glass wall, a crowd of hackers, doctors, medical-device makers, hospital administrators, and health care delivery organization representatives observing this University of Arizona College of Medicine medical-training simulation erupted in a round of applause.

The role-play simulation, which used actors and dummies outfitted with realistic body weights, parts, and functions as patients, was a success. Everybody in the teaching emergency room and observation room had known which circumstances Dr. Pugsley would face except Dr. Pugsley himself.

Afterward, Dr. Pugsley told The Parallax that the experience was “frightening and surprising.”

Dr. Paul Pugsley’s medical cybersecurity crisis in the Emergency Room was part of a simulation at the CyberMed Summit 2018 to teach doctors about complications that can arise from cyberattacks against medical devices and hospitals. Photo by Seth Rosenblatt/The Parallax

“I would never think twice about the lack of an appropriate CT scan,” he said.

Less than two hours later, Dr. Rachel Helpling went through a similar ER simulation ordeal. Like Dr. Pugsley, she was not made aware in advance of which symptoms her patient would present, what the underlying causes of the problem was, or even whether cybersecurity complications would play a role in the scenario.

Dr. Helpling’s simulated patient was hooked up to a pacemaker hacked to misfire. To stop a heart attack from killing the dummy woman, she cut her open and clipped the pacemaker wires—a technique rarely used to manage faulty pacemakers in the decades since the devices became popular.

“They don’t teach that in a medical textbook,” she told conference attendees. In a real situation like this at a rural hospital, where doctors are less likely to get trained to handle complications related to cybersecurity vulnerabilities, “She’d be dead.”

The point of the role playing here at the two-day CyberMed Summit is to encourage more collaboration between hackers, federal officials, medical professionals, medical-device makers, and health care delivery organizations. Together, the thinking is, they can better prepare for—and hopefully stop—new medical cyberattacks.

“I’d like to say that within three years, every radiological device [such as a CT scanner or MRI machine] is updatable and patchable.”
—Dr. Suzanne Schwartz, associate director of science and strategic partnerships, U.S. Food and Drug Administration

As The Parallax explored in our September special feature on the intersection of cybersecurity and medicine, the subject and mission are far from simple. Cybersecurity researchers focusing on medical technology and hospital systems worry about the impact on patient care from ransomware attacks against electronic medical-record systems and doctor dictation systems; hackers trying to interfere with pacemakers, insulin pumps, and other personal medical-device operations; and a history of willful ignorance of the problems and their consequences among doctors, hospital administrators, medical-device manufacturers, and government officials.

Cybersecurity researchers’ warnings are made paradoxical by the fact that most hacked medical devices have not led to wide-scale, immediate threats to patient safety. If the risk appears to be low, then what’s the problem? But as more and more health care-critical devices become Internet-accessible, the risks are spreading and intensifying.

Jay Radcliffe, a cybersecurity researcher at biotechnology device maker Thermo Fisher Scientific, believes that if his fellow hackers don’t proactively collaborate with other stakeholders in the medical community, the ultimate costs could be catastrophic.

“The current state is low-risk, but [the] next state will be high-risk,” he explained during his conference presentation. As an adult with Type 1 diabetes and an automated insulin pump, Radcliffe’s interest in the field is hardly academic: His life could depend on his research.

Many of the experts gathered here echo Radcliffe’s concerns over the state of medical cybersecurity. Dr. Suzanne Schwartz, associate director of science and strategic partnerships at the U.S. Food and Drug Administration, says that while progress has been made, medical-cybersecurity stakeholders still have a lot to accomplish before patients can breathe easy.

“I’d like to say that within three years, every radiological device [such as a CT scanner or MRI machine] is updatable and patchable,” she says.

Many expensive hospital machines are exposed to hackers because they’re running unpatched software on outdated operating systems. Even applying security patches is fraught with administrative complications. Sometimes, hospital administrators bear the managerial and financial responsibilities. And often, patches fall at the feet of defunct vendors or outdated service contracts.

The biggest problem Dr. Schwartz, a former surgeon, says she now faces is convincing doctors to take the threats of hacked medical devices and hospital networks seriously.

“If we can’t get over that hurdle, then why are we doing this?” she asks. Getting doctors to understand the dangers involved in a cybersecurity attack that renders CT scanners or MRI machines inoperable might not be difficult, “but for implantables, it is.”

Dr. Christian Dameff, co-organizer of the CyberMed Summit 2018, explains to observers on December 13 what is happening during the Emergency Room training simulation. Photo by Seth Rosenblatt/The Parallax

She says the FDA is seeking out doctor’s organizations and other medical professional groups to pull them into the discussion process, including at its next public meeting about medical devices. A workshop she’s leading on January 29 promises to include debate on implementing a cybersecurity bill of materials for medical devices.

Beyond problems related to cybersecurity education lie legal issues surrounding what Northeastern University law professor Andrea Matwyshyn termed in a Wall Street Journal column the “Internet of Bodies.”

Who controls Internet-connected devices in our bodies, which many of us rely on to live? Who can use body-derived data? And who is responsible for ensuring that the devices work as intended? Such questions are no longer relegated to science fiction, she says. They’re a central aspect of today’s debates over medical cybersecurity and privacy.

Eventually, the medical-cybersecurity challenges may boil down to how patients can advocate for their needs, or how prepared doctors and nurses are to competently respond to patients’ questions and circumstances, says Marie Moe, a cybersecurity researcher who made waves in 2015, when she debuted vulnerability research on the pacemaker that she relies on to keep her heart beating.

Moe says doctors at her hospital in Norway fear her because she asks many questions about the health of her heart—and her pacemaker.

“They even recognize me when I walk into the hospital: ‘There goes that hacker patient,’” she says. “Transparency is the only way that we can move forward.”

Correction on December 19 at 2:27 p.m. PDT: A previous version of this story misidentified the type of diabetes Jay Radcliffe has. It is Type 1.