Cybercriminals target internet-connected medical devices

Nick Sturgeon leads an IU Health lab at 16 Tech designed to protect medical devices from hacking. (Photo by Mike Dickbernd, courtesy of IU Health)

It’s a small space, just 450 square feet, in a former garage at the 16 Tech innovation district, crammed with computer equipment.

But inside the lab, which has been open about a month, four information technology specialists at Indiana University Health are about to begin testing hundreds or even thousands of medical devices, from blood pressure monitors to electrocardiogram machines, to make sure they are secure.

They are on a mission to make sure hackers can’t get in and shut down a patient’s medical device, or perhaps worse, freeze a hospital’s entire network.

Hackers have shown security experts at safety conventions that it’s possible for outsiders to take control of insulin pumps remotely to deliver a lethal dose or send a deadly electrical shock to a patient’s pacemaker. Security teams are working to make sure that possibility doesn’t become a reality.

Hackers have shut down computer networks at hospitals by breaking into medical devices and freezing electronic patient records, with a demand for millions of dollars via “ransomware.”

Hospitals are increasingly connecting devices to the Internet, to provide doctors and other health care workers up-to-the-minute information on how a patient is responding to drugs and other treatments. But all the connectivity comes at a price: a growing risk of getting hacked.

“It has opened up, for lack of a better word, a kind of playground for cybercriminals,” said Nick Sturgeon, director of information services for IU Health, who set up the lab at 16 Tech.

Health care certainly is not alone as an industry vulnerable to hacking. Colonial Pipeline, the largest fuel pipeline in the United States, was taken down by hackers in April as the result of a single compromised password. The company eventually gave into demands and paid the hackers more than $4 million in ransom.

The following month, hackers shut down the operations of JBS, the world’s largest meat supplier, and forced it to suspend operations at nine beef-processing plants across the country.

But for years, the health care industry has fallen prey to cybercriminals intent on stealing patient data and making hospitals prime targets for ransomware attacks.

A study by Comparitech showed that ransomware attacks on hospitals and health care companies resulted in more than $20 billion in lost revenue, lawsuits and ransom paid in 2020 alone.

And with the growing use of telehealth and other virtual care during the pandemic, medical providers and patients are relying more on medical devices to keep in touch.

Nationally, cybersecurity has become a top federal priority. Last month, President Joe Biden signed an executive order outlining federal measures to improve the nation’s cybersecurity, including in medical devices.

Around the country, large hospitals and universities have begun setting up elaborate labs to try to keep their networks safe.

The Archimedes Centre for Healthcare and Device Security at the University of Michigan was set up to help manufacturers and industry experts navigate cybersecurity risks.

The Medical Device Plug-and-Play Lab at Massachusetts General Hospital is designed to test medical networks to make them bulletproof to cyberhackers.

And hacker conventions around the country, notably Def Con’s Biohacking Village, have shown the health care industry its weak spots and ways to keep its systems safe.

Scott Shackelford

But some cybersecurity experts say hospitals and health care systems still have a big job to do, notably in keeping medical devices secure. The typical hospital bed, for example, has 10 to 15 connected devices, many of which are vulnerable to attack.

And even when patients go home, their pacemakers, insulin pumps and other electronic devices could be attacked if hackers can work their way through some basic coding.

“So, there’s all these legacy systems and, in some cases … insulin pumps running Windows XP, for example,” said Scott Shackelford, chair of the cybersecurity program at Indiana University in Bloomington.

“Unfortunately, there’s just a huge range of different ways into these systems which aren’t even just back doors anymore, but kind of front doors left wide open,” he said.

Infusion pumps, for one, could be easy to hack if a hospital hasn’t found a way to keep it secure. An infusion pump system is basically a medical pump attached to a small computer designed to deliver medicine to a patient.

Tim Sewell

“So, a hacker can attack that computer, just like a laptop or a server in a data center,” said Tim Sewell, co-founder and chief technology officer of RevealRisk, a Carmel-based firm specializing in cybersecurity. “It’s on the network. It’s, in many cases, even running a Windows operating system. So, they’re able to attack it just like anything else.”

It’s unclear whether any Indiana hospital has been compromised by a hacker’s attack on medical devices. Several hospital systems either declined to comment or said they were unaware of any large attacks.

“Not to my knowledge,” said Sturgeon at IU Health. “But that doesn’t mean there hasn’t been.”

Sturgeon said the new IU Health lab is designed to look at devices that could be vulnerable and figure out how to prevent a calamity before it happens.

He and his three IT experts plan to test a huge range of devices. “We obviously don’t want to be testing on live individuals,” he said. “So, this lab will allow us to take it in a safe, contained area to understand the impacts, should we discover an issue.”

Some other Indiana hospital systems are contracting with outside experts with the goal of keeping devices secure. Community Health Network said it recently partnered with Trimedx, a cybersecurity consulting firm based in Indianapolis, to strengthen the surety of its connected medical devices.

“Patient safety is a priority for us, and that includes cyber safety,” spokeswoman Kris Kirschner said.

Franciscan Health said it has no plans to set up an in-house lab to test devices, as IU Health is doing, although it is aware of cyber threats to patient safety.

“We are growing and maturing our cybersecurity program as a whole,” Franciscan said in a brief statement.

At IU Health, Sturgeon has spent the better part of a year setting up protocols and procedures to make sure the hospital’s testing systems are as tight as possible. He said the last thing he wants to do is unnecessarily alarm a medical-device maker.

“We want to make sure, when we do actually start our testing, we have all of our ducks in a row,” he said.•

Please enable JavaScript to view this content.

Story Continues Below

Editor's note: You can comment on IBJ stories by signing in to your IBJ account. If you have not registered, please sign up for a free account now. Please note our updated comment policy that will govern how comments are moderated.

One thought on “Cybercriminals target internet-connected medical devices

  1. [[ Colonial Pipeline, the largest fuel pipeline in the United States, was taken down by hackers in April as the result of a single compromised password. ]]
    .
    What’s interesting about this is that within the technical community, there were strong rumors what was hit was the billing system and Colonial shut down the pipeline rather than pump the fuel for free. Sort of like an electrical utility which would likely shut down if their billing system was taken down because they wouldn’t be able to adequately charge their clientele.
    .
    As far as a single password downing the system, how many compromised passwords do you think it would take? 4? 5? Perhaps a better way to word it is they were taken down by 1FA (1-Factor Authentication). The CIO/CTO should have been publicly named, shamed, and fired to a degree where they can’t find tech work and end up working at a grill at Chez Ronald in perpetuity.

{{ articles_remaining }}
Free {{ article_text }} Remaining
{{ articles_remaining }}
Free {{ article_text }} Remaining Article limit resets in {{ count_down }} days.