On October 28th, the Federal Bureau of Investigation, the Department of Health and Human Services, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency alerted hospital administrators and security researchers about a “credible threat” of cyberattacks to American hospitals. Four hundred American hospitals are being targeted in cyberattacks by the same Russian hackers whom American officials and researchers fear sought to cause problems with the presidential election.[1] The ubiquitous integration of medical devices throughout the hospital network environment provides a potential portal for cyberattacks by these and other criminals, which risk is increased during a pandemic. Hospital systems should consider cyberattacks on medical devices as a serious and evolving threat, and consult with legal counsel, insurance advisors and other experts to plan how to mitigate this threat going forward.
The Problem with Medical Devices
The problem with medical devices lies in their interconnectivity with the hospital’s information technology networks (“ITN”), which exposes the hospital’s ITN to vulnerabilities that exist in the medical device and its software. Presently, medical devices are deployed to fully leverage its connectivity to seamlessly integrate with the hospital’s ITN. Exacerbating the level of risk exposure is the exponential growth in the use of medical devices within the hospital. It is estimated that there are 10 to 15 million medical devices used in hospitals throughout the United States. On average, there are approximately 10 to 15 medical devices per bed.[2] The use of these medical devices and their linkage with the ITN of the hospital has transformed the delivery of health care, and improved patient safety and patient care. Connected medical devices are vital to care. They facilitate the collection and maintenance of important health data, provide greater patient mobility and independence, and facilitate care.
What is a Medical Device?
A medical device is defined by the Food and Drug Administration as:
- “an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part or accessory which is:
- recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them;
- intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals; or
- intended to affect the structure or any function of the body of man or other animals, and which does not achieve its primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of any of its primary intended purposes.”[3] (Emphasis added)
In short, a medical devices is a device that is intended to diagnose, cure, mitigate, treat, or prevent a disease in man or other animals.
Why are Medical Devices Particularly Vulnerable to Cyberattack?
Many medical devices were designed for stand-alone use, and not to be utilized in a connected environment. They were created to be unidirectional. Many were manufactured to be used right out of the box. Therefore, they were not intended to be protected from cyberattacks. In addition, the medical devices may contain outdated operating system or software. Also, they may lack timely software updates or patches. All of these weakness create a fertile environment for experienced hackers.
Who Would Want to Perpetrate a Cyberattack upon a Hospital, and Why?
The question then arises, who would want to infiltrate a hospital’s ITN? What would be their motives? There are a number of cyber-players who may wish to breach the hospital’s ITN. They include, but are not limited to the following: criminals, nation-state attackers, and hackers furthering a political or social cause. Most of the cyber-players who target hospitals have a financial motivation, such as to extort money for holding a hospital’s ITN hostage. Some wish to sell or use patient information for their own financial gain. Other cyber-players solely seek to disrupt the hospital and cause chaos to further their nation’s interests or to make a statement.
What Harm can a Cyberattack cause to a Hospital?
A cyberattack can result in an array of adverse consequences for the hospital. The following are some examples of the harm that a cyberattack could cause:
- The attack could result in disruptions in patient care;
- The attack could distort the reliability of the information that the hospital relies upon for care;
- The attack could cause a loss and/or theft of patient information; and
- The attack could paralyze the use of the hospital’s ITN.
Why are Hospitals More Vulnerable During this Time of COVID?
The COVID-19 pandemic has created the perfect opportunity for cyber attackers to exploit the vulnerabilities existent with some connected medical devices. In April, Interpol issued an alert warning that, since the beginning of the pandemic, it noticed a significant upsurge in detected cyberattacks on health systems.[4] This threat is aggravated by health care providers having an increased need for both medical devices and temporary external hospital facilities during the pandemic.
What Preventive Measures can a Hospital Undertake? What Potential Barriers Confront the Hospital in Implementing Such Measures?
The hospital should consider the following preventive measures:
- Maintain a current inventory of the types of connected medical devices and where they are located within the facility;
- Identify areas of vulnerability;
- Isolate the systems that connect to medical devices;
- Create additional local and segregated networks, as needed; and
- Stress-test the connected medical devices.
Cost is a major barrier to some of these measures. Additionally, the existing capacity of the hospital’s ITN may also serve as a barrier.
In the final analysis, there is no risk-free cyber environment. The hospital must determine its risk appetite in consideration of the benefits offered by connecting medical devices to its ITN with its inherent vulnerabilities. Hospitals should also consult regularly with their legal counsel, insurance advisors and experts to plan for and address the risks associated with their ITN, including those related to the use of medical devices.
Please do not hesitate to contact us to discuss how your hospital or health system can better prepare for the liability that can arise from cyberattacks.
[1]New York Times, Officials Warn of Cyberattacks on Hospitals as Virus Cases Spike, October 28, 2020, https://www.nytimes.com/2020/10/28/us/hospitals-cyberattacks-coronavirus.html
[2] IBM Institute for Business Value, Treating Healthcare Cybersecurity Woes, https://www.ibm.com/thought-leadership/institute-business-value/report/medical-device-security
[3] FDA Medical Device Overview, https://www.fda.gov/industry/regulated-products/medical-device-overview
[4] Medtechdive, Coronavirus chaos ripe for hackers to exploit medical device vulnerabilities, April 8, 2020, https://www.medtechdive.com/news/coronavirus-chaos-ripe-for-hackers-to-exploit-medical-device-vulnerabilitie/575717/