The FBI’s Cyber Division released a Private Industry Notification (PIN) on 8 April 2014 detailing in stark terms that healthcare records and medical devices are poorly defended against cyber intrusions. The problem is exacerbated by the looming 2015 deadline for transition to electronic health records (EHR) as envisioned by the Information Technology for Economic and Clinical Health Act (Public Law 111–5, 123 Stat. 115 (2009)). The FBI report asserts that the EHR transition and the increasing number of medical devices that are connected to the internet will collectively offer fertile territory for cyber criminals unless collective defensive action is taken, including smart investments in cyber security technology.
Until recently the discussion of cyber security was primarily focused on national security, infrastructure, and the financial industry -- and with good reason. The Washington Post reported in its 24 March 2014 edition that in 2012 Federal agents notified over 3000 private sector companies that they had been the subject of cyber intrusions. The victims included large and small firms across the spectrum of industries -- from banks to defense contractors to retailers like Target. While 3000 may seem like an large number, the Washington Post article quoted experts like James A. Lewis of the Center for Strategic and International Studies who suggested that the problem is actually far worse because those known attacks are merely a fraction of the overall number of cyber intrusions each year.
The FBI Cyber Division report notes that the healthcare industry writ large is “not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely.” Not only are the personal medical records of individuals at risk, so too are medical devices. In June 2013 the Department of Homeland Security and the Food and Drug Administration issued a coordinated alert to healthcare facilities and medical device manufacturers urging that they upgrade their defenses against cyber intrusions. The alert documented a password vulnerability affecting “roughly 300 medical devices across approximately 40 vendors.”
Regrettably, the problem is not theoretical. Wired Magazine recently carried a story by Kim Zetter discussing the findings of a two-year study of the cyber integrity of medical equipment at a “large chain of Midwest health care facilities.” Among the disconcerting findings are the ability of cyber attackers to remotely manipulate “drug infusion pumps–for delivering morphine drips, chemotherapy and antibiotics; . . . Bluetooth-enabled defibrillators that can be manipulated to deliver random shocks to a patient’s heart or prevent a medically needed shock from occurring; X-rays that can be accessed by outsiders lurking on a hospital’s network; temperature settings on refrigerators storing blood and drugs that can be reset, causing spoilage; and digital medical records that can be altered to cause physicians to misdiagnose, prescribe the wrong drugs or administer unwarranted care.”
Clearly, there remains much to be done to ensure the healthcare industry and medical devices are better protected against cyber threats.
[1] FBI Cyber Division Private Industry Notification #140408-009, 8 Apr. 2014
[2] http://www.wired.com/2014/04/hospital-equipment-vulnerable/
[3] http://www.washingtonpost.com/world/national-security/2014/03/24/74aff686-aed9-11e3-96dc-d6ea14c099f9_story.html
[4] http://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-164-01
Until recently the discussion of cyber security was primarily focused on national security, infrastructure, and the financial industry -- and with good reason. The Washington Post reported in its 24 March 2014 edition that in 2012 Federal agents notified over 3000 private sector companies that they had been the subject of cyber intrusions. The victims included large and small firms across the spectrum of industries -- from banks to defense contractors to retailers like Target. While 3000 may seem like an large number, the Washington Post article quoted experts like James A. Lewis of the Center for Strategic and International Studies who suggested that the problem is actually far worse because those known attacks are merely a fraction of the overall number of cyber intrusions each year.
The FBI Cyber Division report notes that the healthcare industry writ large is “not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely.” Not only are the personal medical records of individuals at risk, so too are medical devices. In June 2013 the Department of Homeland Security and the Food and Drug Administration issued a coordinated alert to healthcare facilities and medical device manufacturers urging that they upgrade their defenses against cyber intrusions. The alert documented a password vulnerability affecting “roughly 300 medical devices across approximately 40 vendors.”
Regrettably, the problem is not theoretical. Wired Magazine recently carried a story by Kim Zetter discussing the findings of a two-year study of the cyber integrity of medical equipment at a “large chain of Midwest health care facilities.” Among the disconcerting findings are the ability of cyber attackers to remotely manipulate “drug infusion pumps–for delivering morphine drips, chemotherapy and antibiotics; . . . Bluetooth-enabled defibrillators that can be manipulated to deliver random shocks to a patient’s heart or prevent a medically needed shock from occurring; X-rays that can be accessed by outsiders lurking on a hospital’s network; temperature settings on refrigerators storing blood and drugs that can be reset, causing spoilage; and digital medical records that can be altered to cause physicians to misdiagnose, prescribe the wrong drugs or administer unwarranted care.”
Clearly, there remains much to be done to ensure the healthcare industry and medical devices are better protected against cyber threats.
[1] FBI Cyber Division Private Industry Notification #140408-009, 8 Apr. 2014
[2] http://www.wired.com/2014/04/hospital-equipment-vulnerable/
[3] http://www.washingtonpost.com/world/national-security/2014/03/24/74aff686-aed9-11e3-96dc-d6ea14c099f9_story.html
[4] http://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-164-01
RSS Feed