Cyber Medical Devices

It is important to protect medical devices by applying imaging system acceptance testing. This approach is usually in conjunction with the medical device supplier and the cyber security department of the hospital to assess all potential vulnerabilities which may include: securing all USB ports and CD/DVD drives using validated devices: can suppliers gain remote access, are the medical devices protected using strong user names and passwords and finally are the computer systems well maintained using the most up to date antivirus and antimalware software.

When purchasing medical equipment for patient use, all the above considerations must be evaluated on a regular basis.  To help to facilitate the relationship between suppliers and providers of patient healthcare, the National Electrical Manufacturers Association (NEMA) has produced guidance documents such as PS3.15 of the DICOM standard relating to Security and System Management Profiles.  Another guidance relates to the Manufacturer Disclosure Statement for Medical Device Security (MDS2), which helps the healthcare provider to perform risk assessments.

According to Dr Suzanne Schwartz, Center for Devices and Radiological Health:

Any medical device connected to a communications network, like Wi-Fi, or public or home Internet, may have cybersecurity vulnerabilities that could be exploited by unauthorised users.

In 2015, a phishing attack – which is a type of social engineering attack in order to steal user data, such as login and credit card details – was unleashed on the computer systems at UC Davis Health.  The hacker(s) may have compromised the personal health information of 15,000 patients.  In this case, the attack was most likely initiated when an employee responded to a phishing email with their account login details. The hacker was then able to send emails to other employees requesting bank transfers.  Fortunately, the attack was stopped and on further investigation found that there was no violation of sensitive information.

Several steps can be considered to prevent the loss of sensitive information from healthcare computer systems and can include: up to date cyber security training for all employees, picture archiving and communication system (PACS) on a separate system with own non-routable IP network to minimise exposure, data encryption at all points and updating Windows XP-based image acquisition devices.

The categorisation of security defences includes:

Technical – include firewalls, encryption and secure data transmission

Physical – the isolation of devices from each other including backing up and restoring data in addition to proper device disposal methods

Administrative – documenting security policies, maintaining audit trails, training staff, and incident reporting logs

The technical and physical categories in most cyber attacks result in hackers entering into the device.  However, computer failure is usually due to administrative safeguards and results in a catastrophe.  The healthcare providers must introduce and set minimum standards for upholding secure data policy and focus on the high-risk elements of their computer systems.  Therefore, consideration to maintain healthcare systems must take into account the following: the capability to use whitelisting, which is a cyber security list only giving administrator-approved programs and IP and email addresses, system access.  It is vital to ensure device functions towards best practices such as not using expired passwords and no elevated administrator privileges, including a supported operating system which can be upgraded by third-party applications. In addition to no hard-coded or default passwords in the devices.

Cyber breaches in healthcare information regarding patients are on the increase. In the first six months of 2019, there was a 53% increase in breach of health records compared to the whole of 2018.  The increase in cyber breaches in healthcare is likely to continue due to the array of highly sensitive patient health information such as date of birth, social security number, credit card data, insurance information and medical records.  All this information is a treasure trove for criminality, especially on the dark web.

Medical imaging is central to patient care and all these records are increasingly becoming digitised and stored on picture archiving communication systems (PACS).  The PACS system facilitates the sharing of medical images across healthcare organisations, so it is essential to implement robust cyber security.  However, ProPublica – an independent, non-profit newsroom that produces investigative journalism in the public interest – showed that 5 million patients in the US had their medical imaging data exposed on the internet.

This identifiable patient information can be used for blackmail purposes and should be protected as it was discovered that over 13.7 million medical tests, including 400,000 images (e.g. MRI scans, x-rays) were available on the internet.  Consequently, these imaging records were stored on servers which included archiving systems potentially with no monitoring for unauthorised changes. All these systems should be securely configured and in compliance with regulatory standards.

To demonstrate how these vulnerabilities could be detrimental in medical imaging equipment and the networks, Israeli cyber security experts performed using malware that was capable of changing the information on CT scans.  This was done to reflect a different diagnosis; for example, the CT scan of a healthy patient showing cancer and a sick patient indicating no disease present.

To prevent malware from altering CT and MRI scans, healthcare organisations need to install end-to-end encryption across its PACS networks, including the digital signature of all images.  All investigations have demonstrated that future malware attacks on CT scans are a real threat and both manufacturer and provider of medical imaging systems should not become complacent.  To further emphasise this potential problem, a controlled study was conducted on altering real CT lung scans using malware.  A group of radiologists reviewed 70 CT altered scans and were misled into misdiagnoses.  Furthermore, the radiologists reviewed another batch of CT scans and even though they knew this time about the malware, they were still misled by 60%.  Also, on the removal of cancerous nodules from the CT scans, the radiologists were unsuccessful in diagnosing actual sick patients 87% of the time.  These studies focus on the malware attack on the patient’s lung cancer CT scans.  However, malware can attack CT scans concerning heart disease, spinal injuries, brain tumours and bone fractures.

In the previous years, NHS Digital, which is the national provider of information, data and IT systems has embarked on aggressive cyber security programmes in the following areas:

Cyber monitoring, threat intelligence and incident responses

Enhanced support and guidance for local organisations

Improved cyber training with greater awareness and engagement to create cyber security best practice among NHS staff and organisations

Future

If you ever watched the cyber attack dramatisation in Chicago Med and Grey’s Anatomy where hospitals came under attack resulting in the shutdown of vital equipment.  It is essential to realise these situations reflect the increasing fact that hackers are carrying out cyber attacks on medical and personal devices.  For example, in 2019, the U.S. Food and Drug Administration informed patients and doctors that a specific make of insulin pump was at risk to cyber attacks.  Also, in 2017 it was found that certain implanted heart devices were susceptible to hacking via home monitoring systems.  The accumulation of cyber attacks on medical devices has forced the FDA to publish new guidelines in 2018 regarding these situations.

The future platforms in cyber security are to understanding what hackers want to achieve.  In most attacks, the hackers obtain healthcare patient data and payment information (e.g. credit card data) for fraudulent purposes.  To reduce these cyber threats, Government agencies require more trained cyber professionals to intercept these hackers and limit any damage caused.  On 25 May 2018, the EU’s General Data Protection Regulation (GDPR) came into force and will help in the protection of personal data and aid cyber security.  Another vulnerability is the company supply chains where hackers can infiltrate parts of systems during the construction to plant malware.  Therefore, companies have to think like a hacker and therefore reduce cyber attacks by creating innovative security across the supply chains.

The future of cyber security will use artificial intelligence (AI) to secure devices and systems within the internet of things (IoT).  These connected devices are increasing at a rapid rate and the consequences lead to exposure to potential cyber attacks.  It is claimed that by 2025, there will be an estimated 75 billion internet connected devices worldwide.  Also, it is projected that ownership of smart devices could rise from 10 to 15 devices per UK household this year.

The old computer operating systems no longer have the capability to keep up with evolving security threats and depend on human surveillance to keep them in order but this remains an ineffective approach.  Further investment into intelligent automated systems will monitor, detect, manage and prevent cyber attacks in real-time situations.