An 83-year-old female with a history of sick sinus syndrome status post pacemaker implantation presents to the emergency department (ED) complaining of palpitations and lightheadedness. Upon arrival she is asymptomatic. Initial vital signs are as follows: T 37 C, HR 72, BP 120/80, RR 12, O2 sat 98% on RA. Within 10 minutes, her heart rate slows to 38 and she complains of severe lightheadedness. You order an electrocardiogram and ask for the name of her pacemaker manufacturer – just as you receive a call from the Department of Homeland Security advising you of a possible cyberattack in progress on the U.S. Senator now occupying your trauma bay. How do you respond?
Background
Emergency medicine residents tend to serve as the technical thought leaders of their departments. Raised with personal computers, smartphones, and social media, we have come to expect digital efficiency in our daily lives, and we hunger for such sophistication in our work as well. But we must be wary of the risk such technologies pose to the health of our patients and to our fragile healthcare systems.
Hospitals & Hackers
As we continue to expect innovation of our hospitals, clinics, and consumer health devices we expose ourselves to the dark side of such advances. The sophisticated health care devices our patients need for survival are built from vulnerable systems that are just as hackable as our home computers. The viruses, malware, and worms of the Internet don't stop at the digital borders of hospitals. The consolidation of healthcare delivery networks and electronic medical record (EMR) systems have now made the weak digital defenses of one hospital the vulnerabilities of hundreds.
The future of healthcare cybersecurity rests on not only the protection of patient information, but also the prevention of attacks on medical devices and vital hospital infrastructure from malicious hackers. For the past decade, talented researchers have been publishing vulnerabilities in medical devices such as insulin pumps, cardiac pacemakers, and bedside medication pumps.1-3 In each of these cases the demonstrated attacks could result in patient harm or death stemming from a compromised device. It is very possible that during our career in emergency medicine we will wake one morning to the news that a patient has died at the hands of hackers manipulating a medical device connected to the Internet.
Hospital infrastructure itself can be a target of cyberattack, as demonstrated in 2014 when the hacker collective Anonymous attacked Boston Children's Hospital for nearly a week, blocking Internet access and preventing vital services from being performed.4 Also in 2014 security researcher physicians demonstrated how easy it would be to hack 911 emergency systems, rendering them useless and preventing emergency responses to time critical illness such as STEMIs and strokes.5 In 2016 Hollywood Presbyterian Hospital in Los Angeles was the victim of a ransomware attack in which a piece of malware encrypted the EMR databases, resulting in the near-total shutdown of the institution for three days.6 And in a shocking twist of hacking-for-profit in August 2016, a healthcare IT security firm targeted St. Jude Medical, documenting vulnerabilities in its pacemakers and defibrillators — but instead of warning St. Jude, the firm partnered with an investor and published the findings in order to drive down stock prices and turn a profit.7 (Lawsuits are now pending.)
Government and Industry Guidance
Hospitals are by no means swimming alone in this sea of risk. In fact, the U.S. Food & Drug Administration's Center for Devices and Radiological Health points first at device manufacturers for safeguards. In a guidance issued in December 2016, the FDA outlines considerations in pre- and post-market security, cybersecurity vulnerabilities, and even evaluation of the risk of patient harm.8
But where do physicians fit in the picture?
We're on the front lines. Patient education falls to the providers at bedside — we must be ready to explain not only how a patient's medical device works (and how to maintain it), but also how to recognize a cybersecurity risk for that device.9 We must be ready to manage a patient who comes to the ED because a hacked pacemaker suddenly started malfunctioning or a compromised insulin pump is threatening to deliver fatal results.
How, exactly, do we accomplish that? It's a glaring knowledge gap — but one that needs to be corrected quickly. Speakers at the 2017 Healthcare Information and Management Systems Society meeting in February stressed that the possibility of ransomware moving from hospital IT systems to the clinical environment — via implanted devices — is not a matter of “if” but “when.”10
What Residents Can Do
Emergency medicine residents should use our technical prowess to advance patient care in safe and meaningful ways. We should identify the risks we will introduce as we improve health care in the 21st century, and prepare for inevitable cyber disasters that may disrupt our devices, harm our hospitals, and threaten our patients.
Awareness is a good first step. Read up!
RESOURCES
A Brief Chronology of Medical Device Security
The Association for Computing Machinery released this paper in October, offering an overview of the threats posed by the growing implantable device sector.
Networked Medical Device Cybersecurity and Patient Safety
This white paper from the Deloitte Center for Health Solutions sets forth 8 recommendations to help understand the shared responsibilities among health care providers, software and hardware manufacturers, and government regulators.
Top 10 Tips for Cybersecurity in Health Care
From Uncle Sam, this tip sheet — and its accompanying “Guide to Privacy and Security of Health Information” — includes a wealth of resources that will help physicians understand risk management principles associated with health care technology.
Closer to home, the EMRA Informatics Committee offers you a way to get directly involved in this issue. Join the group and suggest new ideas that will help our specialty address the risks inherent to the Information Age in which we practice.
No other field of medicine is better prepared to fight this battle than EM, and no other generation of computer-coding, smartphone-wielding, Tweeting doctors will do it better than we will.
References
- Ngak C. Black hat hacker can remotely attack insulin pumps and kill people. CBS News/Associated Press. August 29, 2011.
- Wadhwa T. Yes, you can hack a pacemaker (and other medical devices too). Singularity University via Forbes. December 6, 2012.
- Zetter K. Hacker can send fatal dose to hospital drug pumps. Wired. June 8, 2015.
- Farrell MB, Wen P. Hacker group Anonymous targets Children's Hospital. The Boston Globe. April 14, 2014.
- Zetter K. How hackers could mess with 911 systems and put you at risk. Wired. August 21, 2014.
- Winton R. Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating. Los Angeles Times. February 18, 2016.
- Osborne C. St. Jude Medical heart devices come under attack in security lawsuit. Zero Day. October 25, 2016.
- Postmarket Management of Cybersecurity in Medical Devices. Center for Devices and Radiological Health, U.S. Food & Drug Administration. December 28, 2016.
- Rose RV. Analyzing FDA guidance on medical device cybersecurity. Physicians Practice. January 28, 2016.
- Slabodkin G. Ransomware emerging as medical device cybersecurity threat. Health Data Management. February 20, 2017.