Written by: Mike Ahmadi, CISSP
Keywords: Free-Standing ER, FreeStanding Emergency Center, FEC, FSED, Satellite ER, Emergency Medicine, Emergency Department, IT, Security, Weaponized Medical Devices, Cyber Pathogens, Terrorism, Cybersecurity Attack, Wireless Interface, Implantable Defibrillators, Deep Brain Stimulators, Morphine Pumps, Infusion Pumps, Insulin Pumps, ICD, Pacemakers, US Secret Service, Codenomicion, GAO Investigation
I recently had the pleasure of sitting next to an emergency medicine physician on a plane trip back from a conference. Once we dispensed with the typical critique of airline travel, we launched into a discussion of what we both do for a living. As a fan of the television show ER, I had a lot of questions for him and he was more than happy to satisfy my inquisitive mind.
When I was asked what I did for a living, I told him I am a cybersecurity attack expert, and one of my areas of focus is medical device security. In fact, the conference I was attending was for the Advancement of Medical Instrumentation (AAMI) Medical Device Security Working Group. This peaked his curiosity, and he began asking me some questions about my work. I was very happy to have a discussion with him, because most of the members of the AAMI working group, as well as other working groups I am involved in, do not have any significant participation with the “boots on the ground” healthcare workers that our decisions will ultimately impact. Most of the participants are device manufacturers, policy analysts and consultants. A few participants are employees of large health care providers (such as Kaiser Permanente), but I have never worked with an emergency physician.
This occurred to me the moment we started talking and is part of the reason I was so interested in having a conversation with him. A patient suffering from a life threatening pathology may require emergency care and an emergency physician to properly diagnose and treat the pathology. The emergency physician’s rapid search for the etiology of life threatening conditions often occurs under great duress and under tight time constraints. This means that in order to assure success in an emergency everything needs to work as expected. The emergency physician should have a very good idea of what is going on with the patient. This requires a constant and ongoing awareness of what potential threats to the patient’s condition may exist as they continue to evolve (e.g. the latest designer drug to hit the rave scene), as well as confidence that the medical equipment will function properly.
As I began telling my travel companion about medical device cybersecurity attack issues, I noticed an interesting look on his face. Many find what I do interesting, but not often connected to their profession. He was fascinated and understood that someday he was going to have to face what I was discussing, and he was going to have to make a decision in a life or death scenario which would depend on his direct understanding of what I was describing. This was somewhat humbling to me because I realized that this was “the person” that all my work in this field would ultimately affect.
The physician was very fascinated with what I told him and put me in touch with the editor of this journal who asked me to pen this article. I am happy to do so, and feel that this is perhaps one of the most important articles I have ever written. I believe that this is the audience that needs to understand this information.
I will begin by describing the challenge in simple terms. Medical devices are all becoming computerized and are quickly becoming “connected medical devices”. A connected medical device is one that is designed to communicate with a network. This network can be as simple as a handheld monitor for an insulin pump, or as complex as a global network of hospitals and devices spanning the entire planet. We have extended these networked medical devices to encompass nearly every aspect of health care. A pacemaker or cardiac defibrillator can be monitored and adjusted through a wireless interface by a physician many miles away from the patient who is sitting comfortably at home. This increases the quality of life for a patient and increases the capability of the physician to deliver consistent and timely health care. Imagine the way a pacemaker was adjusted prior to wireless interfaces. A physician literally had to bore a hole in the patient’s chest and adjust a setscrew. One can imagine the terror some patients must have felt at the notion of going into the doctor for an adjustment. Adding a wireless interface to implanted devices eliminated such discomfort and decreased the risk for infection. Additionally, patients would be able to avoid long office wait times and the inconvenience of travel. The physician’s ability to check on a patient in a non-intrusive manner can, and does lead to lower health care costs and a higher quality of life.
Other devices use a health care provider network and provide great advantages to both the health care professional and the patient. Infusion pumps have the ability to communicate wirelessly over a Wi-Fi network and can be managed remotely from a console at a nurse’s station. By a wireless patient monitor, a health care professional can monitor many more patients in real time than would be possible by traditional walking rounds. Additionally, large pieces of fixed equipment (such as X-Ray machines) and hospital device and data management systems can be accessed remotely by either a health care professional or a vendor maintenance professional for convenient and immediate information gathering and upkeep.
This technological explosion in health care has been very well received by many health care provider organizations, and particularly by ones that are cost conscious (such as large HMOs). In any large hospital today and you will notice that nearly every piece of electronic equipment has some sort of connectivity. The equipment that does not connect will soon become outdated and replaced by their modern counterparts. Health care professionals are left with little choice in the matter.
All this eventually led to what I would consider a seminal event in the world of medical device technology. In 2008, an enterprising group of students led by Dr. Kevin Fu (Ph.D.) at the University of Massachusetts in Amherst presented a project and paper titled “Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses.”
This paper was presented at an Institute of Electrical and Electronics Engineers (IEEE) conference and created quite a media stir for a short time. In this paper, Dr. Fu and associates (Daniel Halperin) describe how they were able to wirelessly access an implanted cardiac device and make changes to the device, some which can be harmful to the patient. This was the first time the ability and danger of gaining unwanted access to medical equipment was discussed in a scientific setting.
While disconcerting, this did not lead to any radical change in the device manufacturing community. Some companies made changes in the way they addressed security. Some were already addressing security and some chose to adopt a “wait and see” attitude. What eventually led to a heightened awareness in the security research community was a demonstration at the Black Hat security Conference in 2010. Another security researcher by the name of Jay Radcliffe, a diabetic who wears a portable insulin pump, used a live demonstration to hack his own insulin pump and demonstrated that he could send wireless instructions to deliver a lethal dose of insulin.
This led to a media frenzy, a Congressional inquiry, and a GAO investigation into the cybersecurity attack issues of medical devices. Keep in mind that this was different than prior (and ongoing) HIPAA HITECH work on cybersecurity attack issues related to medical records as they relate to privacy. This GAO investigation focused on cybersecurity attack issues that ultimately affected the safety and physical well being of a patient. It was an investigation into the intentional or unintentional weaponization of a medical device. This was indeed a new horizon.
At this point, security researchers began taking a deeper dive into the world of medical device security and what they discovered, and continue to discover, was grim. The late Barnaby Jack discovered that he could dramatically increase the distance required to attack an insulin pump. Security researcher Billy Rios discovered he could hack and exploit a hospital management system that connected to multiple devices. Members of my own organization, Codenomicon Ltd., discovered that entire networks of patient monitors could be rendered non-operational by merely injecting a few malicious packets into a wireless network through a process known as fuzzing. These and other researchers discovered that malicious code could be introduced to networks of devices that could significantly alter, damage, and control devices both inside a patient and on a hospital network. This was the discovery of “digital pathogens”.
This means that the human body is no longer only susceptible to carbon-based pathogens, or natural causes. The human body is now susceptible to damage via malicious computer code. Imagine a patient that comes into an emergency room with an insulin pump who has overdosed on insulin. If the overdose was caused by a malicious attacker forcing the pump to deliver a lethal dose of insulin, how would an emergency physician know? If there were multiple similar deaths in rapid succession, would the emergency physician be able to accurately determine the root cause and report it to law enforcement? What if a pacemaker (or other implanted device) was malfunctioning because rogue malicious code had accessed the device? How would an emergency physician diagnose and treat such events?
The US Secret Service prepared for such issues when Dick Cheney was Vice President of the United States. He required an implanted cardiac device and the wireless functionality was purposely disabled on his device in order to prevent wireless attacks. This, however, is only one known example of measures taken to prevent medical cybersecurity attacks and serves as evidence that some are taking the issue quite seriously. Medical cybersecurity could affect both patients who have implanted or body-worn devices and most networked health care equipment with external communication.
I hope this has been eye opening to you, as a reader, and especially if you are an emergency physician. I do not know what the solution is to these new challenges, but raising awareness is a good first step. I have reached out to some of my colleagues in hope that they will contribute some articles as well, and keep in mind that there is a community of researchers, device manufacturers, regulators, and health care professionals working to resolve these issues. What we can truly use is some insight from emergency workers.
We thank Mike Ahmadi and his colleagues for their intense work on this issue. It is important that the medical community, especially Emergency Physicians, become more aware of this fascinating and terrifying topic. It is hoped that this increase awareness will allow the impact of these cybersecurity attacks to be minimized and more quickly recognized. Ultimately, we intend to prevent these attacks. It is likely that Emergency Physicians will be the first to encounter this new “cyber” etiology. Our next issue of the the JFSEM will have the next part of this series on cyber pathogens and weaponization of medical devices.