While cybersecurity experts and law enforcement have been raising the red flag for years about the vulnerabilities of networked medical devices in healthcare, the chaos of the coronavirus pandemic has created the perfect storm for hackers to exploit these weaknesses.
As crowded hospital emergency rooms and ICUs in major U.S. cities try to keep up with demand for medical services, the networks of these healthcare organizations face a rising threat level from cybercriminals probing for weaknesses.
Interpol on Saturday issued an alert warning that cybercriminals are using ransomware to target healthcare organizations already overwhelmed by COVID-19 and noted a significant increase in detected health system attacks since the start of the pandemic.
Cybercriminals are "using ransomware to hold hospitals and medical services digitally hostage; preventing them from accessing vital files and systems until a ransom is paid," the international security agency said.
Interpol Secretary General Jürgen Stock warned "locking hospitals out of their critical systems will not only delay the swift medical response required during these unprecedented times, it could directly lead to deaths."
Medical devices are easy targets for hackers who use them as entry points into hospital networks, according to experts.
"Your network is only as strong as the weakest link," said Nick Yuran, CEO of cybersecurity consulting firm Harbor Labs in Baltimore. "If a hacker can get into the clinical network by exploiting a vulnerability in a medical device, it can be used as a pivot point to get to those more critical elements of the network."
Caleb Barlow, CEO of cybersecurity consulting firm CynergisTek in Austin, Texas, said both criminals and nation-state attackers are figuring out how they can leverage the crisis to penetrate hospital networks. "The bad guys know healthcare is very vulnerable," he said.
"The attack surface" in healthcare, thanks to increasing use of telehealth and remote patient monitoring during the coronavirus outbreak, "has accelerated to a level we wouldn't have expected to see over a 10-year timeframe," Barlow added. "You're never going to get that genie back in the bottle."
"The attack surface has accelerated to a level we wouldn't have expected to see over a 10-year timeframe."
CEO at CynergisTek
When it comes to medical devices in the current cyberthreat environment, Barlow said he is less worried about devices already connected to the network within a healthcare organization prior to the coronavirus outbreak.
"I'm not saying they were highly secured but that was at least an existing, known set of vulnerabilities and challenges. What I'm more concerned about are these temporary medical facilities and mass movements of equipment," Barlow added.
Justin Fier, director for cyber intelligence and analytics at Darktrace, a cybersecurity firm based in a cybersecurity firm headquartered in Cambridge, London and San Francisco, said medical devices infected by ransomware can be disabled from properly performing critical clinical functions, which could lead to patient harm.
Infusion pumps and CT scanners are "plugged into other systems and you have to assume that a fraction of those will be taken offline by something as destructive as ransomware," he said.
Other threats to devices
Ransomware is just one security problem that's plagued the industry.
Last October, FDA warned healthcare providers about a set of 11 cybersecurity vulnerabilities that may pose risks for certain medical devices and hospital networks. The vulnerabilities, called URGENT/11, exist in IPnet, a third-party software component that supports network communications between computers, according to the agency.
"URGENT/11 affects several operating systems that may then impact certain medical devices connected to a communications network, such as Wi-Fi and public or home internet, as well as other connected equipment such as routers, connected phones and other critical infrastructure equipment," the FDA reported.
FDA said at the time it was not aware of any confirmed adverse events related to the vulnerabilities. But the agency warned the software to exploit these vulnerabilities is publicly available and that the risk of patient harm, if left unaddressed, could be significant.
The threat is particularly insidious because the vulnerabilities potentially allow attacks to occur undetected and without user interaction, the agency warned. Additionally, "because an attack may be interpreted by the device as a normal network communication, it may remain invisible to security measures."
FDA urged medical device manufacturers to work with healthcare providers to determine which devices might be affected by URGENT/11 and develop risk mitigation plans. To what extent that occurred is uncertain.
Susan Niemeier, chief nursing officer for infusion pump maker Ivenix, is concerned about these devices and in particular about the cybersecurity vulnerabilities of the tens of thousands of legacy devices used by health systems.
“We know that the legacy pumps out there have been known to be hacked,” Niemeier said.
Yuran believes the biggest current cyberthreat is to medical devices that are in critically high demand such as ventilators, which are subject to a number of different vulnerabilities.
"There's a lot of legacy ventilators that are deployed in hospitals today that did not have the same regulatory oversights that they would face today," Yuran said. "There are a limited number of devices where a hacker could go in and do physical harm to a patient—drug infusion pumps are absolutely one of them."
Zach Rothstein, vice president for technology and regulatory affairs at AdvaMed, acknowledged that "a medical device in a hospital network can be a vector into the larger network just like anything else attached to it."
At the same time, however, Rothstein emphasized that he's not aware of any documented incidents of a hacker remotely taking control of a medical device and doing patient harm. And, in the case of ransomware, he said “it's usually all about money.”
The motivation of hackers who use ransomware, file-encrypting malware which holds valuable patient data hostage, is typically financial, Fier said. Still, "if you are targeting medical institutions during a pandemic, you could argue that could be seen as an act of terrorism."
When it comes to ransomware, Yuran said there's some good news for medical devices. "For the most part, medical devices do not have sensitive data on them. They might have patient data but nothing really valuable from a ransom perspective."
The bad news, according to Fier, is these devices could face collateral damage in a broader systemwide attack, in which devices could be "bricked," rendering them unusable.
But ultimately, Fier concludes U.S. hospitals have no choice but to operate these medical devices at unprecedented levels in response to COVID-19. He contends saving the lives of these very sick patients outweighs the inherent cybersecurity risks.
However, Barlow insists hospital cybersecurity executives "have an opportunity to move very quickly to prevent this from happening" to ensure clinicians keep working during this crisis. "Their key mantra should be 'not on my watch,'" he said. Healthcare organizations "need to be looking at the new vulnerabilities" in their systems and "doing everything they can to shore them up as rapidly as possible."
Correction: A previous version of this article said Darktrace was headquartered in Washington. This article has been updated to reflect the company's headquarters are in Cambridge, London and San Francisco.