Fears of hackers targeting US hospitals, medical devices for cyber attacks
Two doctors, who are self-proclaimed hackers, are helping other doctors prepare.
-- Cybersecurity experts are rushing to analyze the new ransomware known by some as “Petya” that quickly spread to countries around the world Tuesday, including the United States, with hackers holding computers hostage for ransom payouts.
Among the U.S. computers affected in the Petya attack were hospital computers, and experts are warning that not only is the ransomware problem getting worse, but hospital computers and medical devices are potentially vulnerable to hacking.
Last month, a worldwide cyberattack by a ransomware called WannaCry shut down 65 hospitals in the United Kingdom, and affected not just computers but storage refrigerators and MRI machines. Last January, Hollywood Presbyterian Hospital in Los Angeles paid out $17,000 after hackers took control of its computers.
“In between the bookends of Hollywood Presbyterian Hospital and the 65 hospitals shut down in the U.K., we went from being prone and prey with no predators to now a little blood in the water,” said cybersecurity expert Josh Corman. “Hospitals and health care went to the No. 1 targeted industry last year, in less than one year … so our relative obscurity is over.”
The popular TV show “Homeland” included a scene where the president’s pacemaker was hacked, and researchers say that threat is very real. So much so, that former Vice President Dick Cheney revealed on CBS's "60 Minutes" in 2013 that he had the wireless capability on his pacemaker turned off.
To combat this problem, doctors, security experts and government employees recently converged at the University of Arizona Medical School in Phoenix to witness the first-ever simulated hack of a hospital.
The event was organized by Dr. Jeff Tully, a pediatrician, and Dr. Christian Dameff, an emergency medicine physician, both of whom are graduates from the University of Arizona Medical School and both are self-proclaimed hackers.
“When you say a hacker, everybody immediately thinks of darkly lit rooms, hooded characters that are nefariously typing and hacking the Pentagon,” Dameff joked. “Really hackers are great, they’re fantastic for the most part, there’s a lot of really great hackers out there.”
Dameff said there are some they call “white hat hackers” who he said use their skills for good.
“When they find vulnerabilities in systems, they fix them, they talk to device manufacturers, they talk to software companies, and fix them, because they know that there are bad hackers out there, and if people don’t do that, then it’s free range for the bad hackers,” he said.
Tully said “anything that is plugged in,” whether it has a Wi-Fi connection or not, can be vulnerable to hacking, and lots of medical devices, such as pacemakers and ventilators, are connected to the internet for the benefit of the patients.
“Pacemakers can connect with a device at home that monitors the rhythms of the heart and are able to send that information to doctors,” Tully said. “These things are good for patients and we don't want people turning away from the promise that these type of technology have.”
For their demonstration, Tully and Dameff staged a massive cyberhack at the medical school's simulation center using three critical mock patients, without the doctors involved in the simulation knowing what was about to happen. One mock patient had a simulated calcium channel overdose from a hacked bedside infusion pump, another’s pacemaker was made to malfunction, and in another, an insulin pump delivered an unauthorized dose -- all by security researchers and doctors simulating these devices being manipulated.
Despite the hacks, the doctors involved in the simulation were able to save all of the mock patients.
Dr. Marie Moe, a security researcher from Norway observed the demonstration. She and her team researchers have figured how to hack a pacemaker. That pacemaker scene in “Homeland,” Moe said “is not that far-fetched.”
She said she buys pacemakers on eBay so she and her team can practice hacking them. Moe herself has a pacemaker so this kind of threat is very real to her.
“The reason I do this is to prove that the security is not implemented well enough,” she said.
Billy Rios, a hacker in San Francisco, takes apart and hacks different medical devices, such as pacemakers and insulin pumps, using an internet connection and programs he developed. He demonstrated how a bedside infusion pump, which has a Wi-Fi connection, could be hacked.
“These pumps have a firewall that’s there but it’s really easy to turn off,” Rios said. “Once the firewall is turned off we are going to connect to the pump and send it commands … if this were connected to a patient, it would dump all of the drugs into a patient.”
Once a hacker is connected to the pump’s network, Rios said, it can be controlled remotely.
“You could be 1,000 miles away as long as you’re connected to a network, you could be at a Starbucks, or at a hotel, or you could be in another country,” he said. “It’s almost as if the pump has a life of its own.”
Cybersecurity expert Josh Corman, who recently served on a congressional task force for the U.S. Health and Human Services Department to investigate health care systems, said these systems are easy to hack because often the computers are running “on very old, unsupported systems.”
“Systems like Windows XP and older ... They don’t even get patches anymore,” he said.
Another issue Corman said is that “hospitals tend not to invest in qualified [cyber]security personnel.” He and his team conducted a yearlong investigation and said they found that “about 85 percent or more of the hospitals don’t have a single qualified security person on staff.”
“When a medical device is expected to live in the field for 30 years, the underlying software components are only expected to live two years to 10 years, so there’s a big mismatch there we have to rectify and reconcile,” said security expert Beau Woods, who worked with Corman’s team.
AdvaMed (Advanced Medical Technology Association), an American medical device trade association told “Nightline” in a statement in part, “The medical technology industry’s chief priority is patient safety, and medical device manufacturers take seriously the need to continuously assess the security of their devices in a world where the risks, no matter how remote, evolve.”
The FDA, which regulates medical devices, told “Nightline” in a statement in part, “Cybersecurity risks are constantly evolving and the FDA has been working diligently to address medical device cybersecurity in all phases of a product’s lifecycle.”
There are currently no known cases of illicit hackers manipulating someone’s pacemaker or any other medical device in a real world setting, but Tully and Dameff want to continue to work with doctors to make them aware of these risks.
“We came to med school to become doctors, but before that we were hackers,” Tully said. “I think our parents are just happy we’re not in jail.”