Jan 4, 2024 - Health

"A real Achilles' heel": Medical devices could be hacked next, officials fear

Illustration of a grimacing face on an EKG monitor.

Illustration: Shoshana Gordon/Axios

Amid growing cybersecurity threats to health care facilities, federal officials and health systems are turning their attention to potential vulnerabilities hiding in plain sight in hospital rooms, imaging centers and even patients' homes: medical devices.

Why it matters: Hackers have especially targeted health systems for their valuable troves of patient data and in some cases have temporarily knocked systems offline, disrupting patient care.

  • But there are also a range of medical devices — such as MRIs, ventilators and pacemakers — that are potential targets, particularly when it comes to aging devices with outdated software.

Driving the news: A government watchdog late last month called for the Food and Drug Administration, which oversees medical devices, and the Cybersecurity and Infrastructure Security Agency to improve coordination on cybersecurity of medical devices — a recommendation both agencies agreed with.

  • The watchdog's report noted that medical devices haven't been a major target so far, but their vulnerabilities "still pose risks to hospital networks — and patients."
  • "It's a real Achilles' heel and a blind spot for health systems," Toby Gouker, an executive at privacy and security firm First Health Advisory, told Axios.

The big picture: While the threat to devices has so far been largely theoretical, Gouker predicted they will increasingly become the targets as health systems get better at shutting down hackers' attempts to seize health records.

  • "What makes more money in a hospital than anything else?" Gouker said. In many places, it's the multimillion-dollar devices such as MRIs, he said.
  • "If you bring an MRI down, you can take a lot of health systems to their knees."

Between the lines: As of last March, a new law requires manufacturers to submit plans to address cybersecurity vulnerabilities for any new medical devices to the FDA.

  • But that doesn't apply to the vast array of connected devices already on the market, said Chelsea Arnone, director of federal affairs for the College of Healthcare Information Management Executives.
  • "Everything from your hospital bed to your infusion pump next to the bed, to the monitor next to the bed that's measuring, monitoring your vitals, they're all connected," she told Axios.
  • "Everything is online ... so they're all ostensibly hackable."
  • Many devices incorporate off-the-shelf software that is vulnerable to threats, such as viruses and worms.
  • And until the recent requirements for new medical devices, manufacturers largely haven't had to offer patches and other solutions to their customers when vulnerabilities emerge on aging devices, although many do for some period of time.

Zoom in: Arnone said one hospital described to her how it discovered a person in Russia had backdoor access to one of its medical devices.

  • The hospital was able to take the product offline to isolate the problem, but when they called the manufacturer for help, they learned there was no fix.
  • "It's just old school. You're calling someone on the phone and waiting and trying to get the right person who can help you. It's like the worst kind of customer support," Arnone said.

Yes, but: Medical device makers have an economic incentive to protect their brands, and industry experts say they partner with providers to boost the security of their products against near-constant threats.

  • But they are also facing a difficult challenge as health care organizations use devices far beyond the lifespan of their ability to provide security and support for the product.
  • An FDA-commissioned report in November proposed recommendations for how the industry should manage the cybersecurity risks of legacy medical devices, MedTechDive reported.

Be smart: There is "a bag of tricks" experts at health systems with advanced cybersecurity programs use to protect against threats to their devices.

  • In addition to patching, they might take other steps to respond to specific threats, such as dividing up devices and equipment behind protective firewalls, and in some cases just retiring equipment, Gouker said.
  • The problem is, he said: Only a small fraction of health systems actually take such measures because it’s simply too expensive or, in many cases, because they don’t even know how many devices are on their networks.

Go deeper: Bureaucracy is complicating health care's hacking problem

Go deeper