When Jay Radcliffe hacked his own insulin pump on stage at the Black Hat cybersecurity conference in 2011, the room filled with applause.
Diagnosed with type one diabetes at age 22, he had just demonstrated how a bad guy could really mess him up.
“You could give me insulin right now, without my authority,” he said from the stage.
At the time, very few had shown how lax the security of these medical devices were.
“I wrote a program that would turn off my insulin pump and change the therapy settings without the user knowing it,” he said in a recent interview. “It turned into this very, very big thing.”
For years, device manufacturers assumed doctors and technicians would be the only ones interested in these devices. But it quickly became clear this was just the beginning.
As the healthcare industry becomes increasingly connected to deliver real-time data, monitoring and new therapy options, it isn’t just the implantable pacemaker or insulin pump with problems.
The bedside patient heart monitor and anesthesia machines, the lab CT machine and hundreds of other health devices of various purposes, operating systems and connectivity are all open targets — threatening patients and creating a massive attack surface for bad guys.
https://www.youtube.com/watch?v=avf5XF8yS60
Between 2016-2018 there was a400% increase per quarter in cybersecurity warnings from manufacturers. It could reflect companies being more transparent after the U.S. Food and Drug administration released new guidance for medical device manufacturers in 2016.
Back in 2011, "transparent" isn't how Radcliffe would describe them. And they were ill-prepared for outsiders like him saying, “Hey, you got a problem here.”
“They weren’t very responsive. They didn’t return my phone calls,” he said. “They didn’t have a process or procedure. If there’s no process (with these big companies), it’s kind of paralysis.”
Companies could threaten hackers with copyright infringement lawsuits when they exposed vulnerabilities. The space was so bad that many in the field thought something dire would have to happen before things changed, including Josh Corman, an ethical hacker.
“I said, ‘Guys, I’m not going to lie to you, people have to die first. No one is going to listen until we have our first confirmed kills,’” said Corman, at the CyberMed Summit in November, talking about how hopeless some early security researchers were in the space.
Worst-Case Scenarios
Just a building over from Corman’s talk on the University of California San Diego’s campus, a man on a stretcher would later be rolled into a bright white hospital room by emergency medical technicians.
“Seventy-three year old male, he’s got left sided weakness, right sided facial droop,” the tech said before rattling off a series of vitals.
Medical personnel led by Dr. Rahul Nene worked to diagnose Patrick, who’s been paralyzed on his left side for three hours. After asking about his medications and an assortment of other questions, Nene thinks he knows what to do.
“Were gonna start with a CAT scan of your head. I’m worried that you may be having a stroke,” said Nene.
“What?” replied an alarmed Patrick.
The doctor repeats himself and before long Patrick is sent to get the CT scan that will answer one critical question, is a bleed or a blockage causing the stroke. Nene can treat the blockage with a clot buster called TPA. But that would mean possibly grave consequences for a bleed.
Then disaster strikes.
“Attention clinicians!” blared the PA system.
The announcement: The CT scanner along with several other critical systems are taken offline by what Dr. Nene will later learn is a ransomware attack.
“Please resort to paper record keeping,” said the disembodied voice.
“Oh, well that’s going to make things a little bit more difficult,” Nene said.
The only test that could tell the doctor how to treat Patrick is offline. Every minute he goes without treatment, his oxygen starved brain is dying.
Fortunately, this is just a simulation. Everyone other than Dr. Nene knew a cyber attack was coming.
Upstairs a couple hundred medical device manufacturers, doctors and security researchers watch the scene unfold live.
Narrating the scene was Dr. Christian Dameff, who along with Dr. Jeff Tully, one of the people assisting Dr. Nene on screen, organized the summit.
“Because they can’t take care of this patient, they actually have to transfer them to another hospital, again this is wasted minutes,” said Dameff.
The simulation is meant to show how reliant doctors are on technology, especially internet connected devices that can be hacked. And how ill-prepared they are for worst-case scenarios.
Keeping Up With Devices
"I think we have a far more boring but realistic threat. It's unintentional spillover effects."
There are currently no deaths linked to medical device hacking, but — as the demonstration showed — we might not know it if there was.
“Doctors and nurses don’t know about it (and) aren’t looking for it. Hospitals do not have the security resources that they need to even detect some of these attacks. Device manufacturers have little incentive to do deep forensic analysis because it may lead to a huge issue with them,” Dameff said.
Dameff, who is the medical director of cybersecurity at UCSD, said most in the healthcare industry only thinks about cybersecurity in terms of data and HIPAA fines, which will cost providers an estimated $4 billion this year.
The threat for medical devices is less from bad guys and more from unintended malware that slows devices down and endangers patients he said.
Things like 2017’s Wannacry ransomware attack that crippled one-third of hospitals in the U.K., or the recent spate of cryptojacking that have turned some hospital machines into bitcoin miners like at Decatur Memorial in Illinois.
“I don’t think there is an army of psychopath hackers out there that are ready to do that. Instead, I think we have a far more boring but realistic threat. It’s unintentional spillover effects,” he said.
Officials with the Food and Drug Administration didn’t wait for someone to get hurt to act.
After getting rapped on the knuckles a decade ago by the U.S. Government Accountability Office for not guiding medical device manufacturers on cybersecurity, the FDA has released multiple pieces of guidance to increase cybersecurity in the field with new, more stringent iterations on the way.
Security researchers TPR talked to agreed these efforts are better on new devices — with some still thinking too low — but manufacturers may be on the right track.
That said, this is a decade-long effort and addresses an issue touching thousands of manufacturers, tens of thousands of hospitals and millions of patients.
So, new devices are making progress, but what about the older ones still being used in hospitals?
"You remember the old cartoons where there's a dam and somebody's trying to plug up the hole and holes keep opening up? It's kind of like that."
“We’re years behind the attackers in many cases when it comes to ID’ing these vulnerabilities and patching these devices,” said Adam Nunn a consultant for Clearwater Compliance who has worked in hospitals for more than 20 years.
Even when companies do have updates for products, he said average hospitals have tens of thousands of connected devices.
Paired with the fact that most medical facilities don’t have a full-time cybersecurity person, Nunn said hospitals often can’t keep up with security updates.
“You remember the old cartoons where there’s a dam and somebody’s trying to plug up the hole and holes keep opening up? It’s kind of like that,” he said.
Suzanne Schwartz is deputy director of the Office of Strategic Partnerships and Technology Innovation at the Food and Drug Administration. She calls these older, legacy devices the last mile problem because they were so expensive and can be hard to update.
“Yeah, the legacy (device) challenge is an extraordinary challenge because of the many factors that are involved, economics being a significant one…,” she said.
The FDA wants more power to increase cybersecurity and require that devices collect more data. A federal task force recommended creating a cash-for-clunkers programto incentivize hospitals toss old devices.
And that doesn’t include the lifecycle of devices.
If it takes five years to design a product, and say a pacemaker is designed to last around 10 years, the industry is years away from addressing vulnerabilities discovered today.
Don't Know What We Don't Know
In July the Department of Homeland Security pushed an alert on a series of vulnerabilities found on what would grow to 2 billion devices from medical to industrial control systems.
Armis, the security firm, discovered the so-called “Urgent/11” security flaws that could let someone remotely take over many devices built on the massively popular VxWorks connectivity software. Regardless of many normal network protections, they could take over the device, or use it as a springboard for an even larger network attack.
https://www.youtube.com/watch?v=tpSXr4XhQwM
The FDA played a pivotal role in getting manufacturers to investigate whether they were affected.
“Their outreach was very significant and the alert that the FDA sent out really made the difference,” said Ben Seri, Vice President of research for Armis.
With the help of the FDA, Armis and a major manufacturer determined that one million bedside drug-infusion pumps were affected by the Urgent/11 exploits.
The FDA’s collaborative approach convinced some manufacturers to listen to hackers.
That’s a far cry from eight years ago when security researchers felt they had to get on a stage and “do a live demo of a hack in order to get the attention and to get some action from the manufacturer,” according to Schwartz. “We’re in a very, very different place now.”
But most Americans don’t know much about this issue. And Jay Radcliffe says consumers of medical devices aren’t likely to be able to keep up.
“Companies with big budgets can’t keep laptops up-to-date. How are the consumer or patient going to keep up with patching their refrigerator, their toothbrush their pacemaker, their insulin pumps?” he asked. “It’s a very daunting challenge.”
Radcliffe who now works for a medical device company that builds mostly lab equipment. And despite the risk he sees in the industry, he said, it’s still well outweighed by the reward of his insulin pump and many other devices.
“You know, yes, there’s some risk. But ultimately when I look at my health. I can’t not get these tests. I can’t not have these treatments,” Radcliffe said.
Unlike many patients in the U.S., however, he is at least aware of those risks.
Paul Flahive can be reached at Paul@tpr.org or on Twitter @paulflahive.
