Criminals reportedly infected Hollywood Presbyterian Medical Center computers with ransomware — malware that cryptographically locks devices. The thieves have demanded 9,000 bitcoins, the equivalent of $3.65 million, to unlock the machines, according to sources who spoke with Los Angeles television stations.
Hollywood Presbyterian is at least the fourth hospital this year to be reportedly affected by ransomware.
Though there are no recorded patient injuries or deaths tied to cyberattacks, digital security in hospitals, and, perhaps, more importantly in medical devices such as pacemakers and MRI machines, has become a growing concern in the industry.
When Avi Rubin began taking tours of East Coast hospitals in the 1990s, he found myriad reasons to worry.
Sloppy password protections at computer labs, practices vulnerable to tampering, and drug dispensing robots controlled by software.
“What if something went wrong with that software?” said Rubin, a Johns Hopkins University computer science professor, at the Enigma Conference, a security gathering in San Francisco last month.
“What if someone were attack this system and cause all the drugs to be wrong?”
If those changes weren’t noticed, thousands of people could receive incorrect dosages or medication. They could die.
The Hollywood Presbyterian incident isn’t nearly that severe.
Ransomware has long been a threat for Internet users, with thieves generally holding up individuals and businesses. The recent attack at Hollywood Presbyterian proves that the risk is real in the medical world as well.
“It’s hugely significant,” said Rubin. “It’s a demonstration in the wild of the kind of thing that’s possible.
“It’s one thing to say that hospitals are in the sights of criminals. ... It’s another when someone does it, and you see it’s not just theoretical.”
Specialized attacks
While medical care providers face the same type of threats as anyone who uses a computer, medical device makers are shoring themselves up against the risk of specialized attacks.In recent years, the medical device industry and regulators have taken action:
- In 2012, the Government Accountability Office issued a report stating that a number of intentional security threats could exploit vulnerabilities in implantable medical devices and called on the Food and Drug Administration to consider the risks in its approval process.
- In 2013, the FDA issued a cybersecurity memo to device manufacturers and health care facilities with recommendations on evaluating devices and network security.
- In 2014, the FDA issued final guidance on premarket medical device cybersecurity, and regulators held a workshop to push the issue forward.
- Last summer, the FDA and Department of Homeland Security issued a warning to hospitals about a drug-infusion system with a flaw so serious that it could give hackers entree into the devices.
- Just last month, the FDA issued draft guidance for medical device manufacturers to begin administering their own vulnerability disclosure programs — allowing outside researchers to easily flag weaknesses. That advice was tied to another workshop in Washington.
Thorny issues
“Knee-jerk reactions aren’t a good thing,” he said. “If (manufacturers) stop bringing devices to market that would ultimately cost more lives.”These are thorny issues for regulators — and controversial ones for those in the industry. Even the FDA’s attempts to establish disclosure programs have generated debate.
“When I talk to lawyers, they think that these disclosures are a terrible idea,” said Rubin. “It kind of gives the hackers a blueprint of who is more vulnerable, because if you’re having to share that you’ve been hacked and you’re doing it more than others, (criminals) may say: ‘These guys are easy to hack. Let’s go after them.’
“And they may be right.”
Treating patients
Physicians’ rules of first doing no harm apply equally to doctors, as well as cybersecurity practitioners, said Kevin Fu, the director of the Archimedes Center for Medical Device Security at the University of Michigan.As cybersecurity in hospitals has evolved, patient safety is taking precedent over computer hygiene.
The priority has always been treating patients. That’s different than, say, in financial services, where the immediate risk of loss of cash has provided a strong incentive to focus on cybersecurity.
“They are more concerned with introducing a change with a (software) patch that could cause harm to human lives,” said Andrew Hay, the chief information security officer at DataGravity, a data management and storage startup.
For example, Fu explains, pacemakers are now adjusted wirelessly where once patients and doctors risked infections by calibrating a recipients’ heartbeats manually by periodically inserting the equivalent of a rod into their armpit to reach the device.
‘Better off’
“Patients are far better off with these devices than without them,” he said. “If I was prescribed one of these devices today I’d take it in a heartbeat.”For sure, no pun intended.
“Even though I’m a researcher, I consider (cybersecurity) a secondary factor in (medical device) safety.”
©2016 the San Francisco Chronicle Distributed by Tribune Content Agency, LLC.
