It’s been around 10 years since security researcher Jay Radcliffe got up onstage at a conference and demonstrated that he was able to hack into his own insulin pump. If he’d wanted, he could have used the pump to deliver a lethal dose of the drug into his system. Instead, he demanded that medical companies take the security threat seriously.
That presentation and others like it were wake-up calls about the potential danger of connecting vulnerable medical devices to the internet, says Mike Johnson, a securities technologies expert at the University of Minnesota’s Technological Leadership Institute.
In the decade since, there’s been an explosion in the number of connected medical devices — drug infusion pumps, pacemakers, monitors — that makes the issue even more pressing. There is an average of 10 to 15 internet-connected devices on each hospital bed, security researchers estimate. “It’s just a matter of time,” Johnson says. “There are more devices and more exposure.”
That exposure is one reason the University of Minnesota set up a new Center for Medical Device Cybersecurity, which launched at the beginning of September in partnership with medical device companies like Medtronic (which made Radcliffe’s pump) and Boston Scientific. The center will function as a hub to help groups that touch medical devices at every stage in their lifecycle, from their development to their use at a patient’s bedside, understand and manage the cybersecurity risks.
“We want to bring all of these participants into the process and hopefully give them tools,” says Johnson, who’s involved with the center.
The Verge talked with Johnson about the center’s goals and the cybersecurity risks around medical devices.
This interview has been lightly edited for clarity.
Why is it important to focus on the security of medical devices?
Medical device security has been on the radar of security risk managers for a decade or more. Suddenly, there’s been an explosion in the healthcare arena around connected devices. The numbers today are 10 to 15 devices connected per hospital bed, and that’s a combination of bedside devices and potentially wearable or implanted devices as well. The more things we add to a network, the more chances it can be impacted.
“There hasn’t been a really high-profile case of a patient being killed or seriously harmed, but it’s just a matter of time.”
There hasn’t been a really high-profile case of a patient being killed or seriously harmed, but it’s just a matter of time. We know the criminal element changes. They’re mostly driven by money, but there are other people driven by making a splash, like a terrorist group wanting to kill someone over the internet.
As the risk increases, security professionals and device manufacturers and others are saying, “Well, we really need to stay ahead of this.” Healthcare is not waiting for the massive accident.
Ransomware attacks on hospitals have been a significant and escalating issue for healthcare in the United States. Does that impact medical devices as well?
The most imminent threat is probably from ransomware. We’ve seen it over and over, and we see it potentially impact patient safety. So you might think, “What does a medical device have to do with ransomware?” But it’s part of the overall ecosystem. An attacker may not take over a device, but if the device is reliant on a single point of connectivity, and ransomware takes over the command server for the devices, all the devices could stop working.
We want to understand the device’s security itself, but we also want to understand where the device sits in the ecosystem — what factors are important for it to function? What could happen to it?
Medical device companies make the products that can get hacked, but doctors and hospitals use them — and those groups often don’t have the same cybersecurity resources or expertise. How are they involved in these conversations?
Providers are exposed to a lot of risks, and medical devices are just one of them. A medical device is connected to the network, and so are heating, ventilation and air conditioning. They both have equally important risk issues that need to be addressed.
When I visualize the spectrum, if you have a device manufacturer on the left, they’re about the nuts and bolts of this piece of equipment. On the right, you have a system like a hospital that has a cybersecurity risk and has something to protect. In the lifecycle of a device, it starts with the manufacturer, and if they do a good job, that’s great — but when they send it out, the security could be reduced because of how it’s deployed at a hospital or health center. That increases the risk.
They’re an important part of the system and hopefully a part of the center. There’s a very large health system in Minnesota that we’ve been talking to as we work to expand.
Hospitals aren’t the only places with internet-connected medical devices — pacemakers are implanted in people’s bodies, smartwatches can diagnose heart problems, and people take their blood pressure through app-connected cuffs at home. Can we protect those, too?
The home network can be a scary place for anything important. There aren’t the same resources, and there are all kinds of things that can go wrong. But you have to look at everything in terms of risk and impact. If, say, a blood pressure monitor gets hacked, the results could be manipulated. Still, patients with high blood pressure go to the doctor regularly enough, so they’d be able to double-check those numbers — and maybe it wouldn’t be too dangerous. On the other hand, something like a pacemaker is physically inside the patient. Messing with that would be a different story.
“The home network can be a scary place for anything important.”
If manufacturers know this is going to end up inside someone or in someone’s home, they’d do a risk and threat assessment to understand what could happen and how big a deal it would be. Then, they’d design the security controls with that in mind. We would hope that a manufacturer would design it so even in a poorly secured network, you could have a secure connection.
What’s the first step for the center in helping to improve this ecosystem?
We’re really focusing at the beginning here on generating interest, bringing people into the consortium, and providing training opportunities. We have a hackathon coming up that the center is involved in, and we’re starting on our inaugural introductory training course in device cybersecurity. We’re targeting everyone from big players like [medical device company] Abbott to smaller groups. Medical device cybersecurity is pretty specialized. So this is designed for an engineer, or somebody else in the product development cycle, who wants to understand why security is important and how to improve it.
It’s been around a decade since this emerged as a major issue. How far is there left to go to ensure the whole ecosystem around medical devices is protected?
Security isn’t a fixed end state. There’s not going to be an end state. It’s always a process to improve where improvement is needed and protect things that are most critical to protect. We want to prioritize the changes that can make the most difference and raise the bar over time.