Computer hackers breached databases at health care organizations hundreds of times last year. And they didn’t need to invent sophisticated new digital weapons to do it.
Health care cyberattacks often exploit basic weaknesses in the Microsoft Windows operating system that runs in the background of many digital medical systems. That includes the “WannaCry” ransomware worm that disrupted nearly a third of all the hospital trusts in the United Kingdom last year, and the ongoing “Orangeworm” Trojan malware attacks that are infecting X-ray and MRI machines in U.S. hospitals.
“Attackers are using old stuff,” said Stephanie Domas, vice president of research and development at medical-device security firm MedSec, who spoke Wednesday at Medtronic’s Mounds View campus. “We’ve known about this Trojan — most antivirus blocks it — yet Orangeworm is having success attacking with it. … (For) WannaCry, there was a patch before it happened.”
Yet hospitals remained vulnerable because installing software patches is complex and slow. Domas showed the Medtronic audience how quickly hackers can use tools like Google’s BinDiff program to analyze new software patches and identify vulnerabilities that can still can exploited on unpatched machines.
Her comments came as part of Medtronic’s fourth annual Global Medical Device Security Symposium, an all-day event intended to spread awareness about cybersecurity within the company, and beyond.
Medtronic executives told the group that medical device cybersecurity needs to be a “team sport” among departments and teams, and even among competitors, and it must be considered early in product design. Compromising digital health care products is a big business because medical data is valuable on the black market.
“We operate in the medical device space knowing that we have to develop and deliver the most profound therapies that we can in an environment that is sometimes hostile,” said Patrick Joyce, chief information security officer for Medtronic. “We have to be very careful in what we do and how we do it to make sure that we can still deliver those therapies in a secure way.”
Medtronic doesn’t make X-ray machines or MRIs, nor does it make hospital drug-infusion pumps like those that have been subject to warnings about cyber vulnerabilities. But it is a major seller of pacemakers, which were among the first medical devices ever identified as potentially vulnerable to computer hacking. Medtronic also makes insulin pumps, which have been a hacking target over the years.
Emphasizing the connectivity and ubiquity of medical devices, speakers at this week’s symposium displayed photos of pediatric patients receiving intensive hospital care. In the photos, young patients lie in their beds inside rooms festooned with machines with blinking lights and screens, many if not all of which are communicating invisibly to maintain the child’s health.
“You can clearly see there’s a lot of attack surface there. There’s a lot of points of failure,” said Dr. Christian Dameff, a computer-security researcher and San Diego emergency-medicine doctor, as he displayed one such photo for the audience. “A lot of consideration should be given to every single one of these blinking boxes … I can almost guarantee, most of those blinking boxes are doing vitally important things to keep that child alive.”
Authorities have never documented a malicious cyberattack against a medical device that was designed to harm a patient — but the emphasis there is on “documented.”
Dameff told the audience that he strongly believes such attacks have happened, but hospitals and device companies lack the means and the incentives to detect them.
Some cardiologists, meanwhile, are skeptical of installing any updates on heart devices, since the risk of malfunctions from updates could appear higher than that from hacking.
“We’re going to have more vulnerabilities, more patches, and we’re going to need a way for doctors to apply them in a reasonable way,” Dameff told the Medtronic audience. “I’ll work on the part about convincing the doctors. In the meantime, please keep making the patches.”
They will. Medtronic has released four security bulletins with various mitigation strategies this year. Abbott Laboratories, which acquired St. Jude Medical after cybersecurity vulnerabilities in its heart devices were exposed, has put out updates for hundreds of thousands of devices. And all three major U.S. pacemaker companies have issued cybersecurity warnings for the computers used to program heart devices since 2016.
Media were only allowed to see just the first few hours of Medtronic’s all-day security symposium, given the sensitive nature of the topic. But the theme of the day is one that Medtronic doesn’t mind touting publicly.
“We are showing our employees the importance of this topic,” Russo said after his comments to the audience. “It is not a one-time thought process. Security is not a bolt-on.”