The Hidden Menace in the Body of the HealthCare “Internet of Things”

So much within us remains hidden to us. Each of us unaware of the moment when those hidden vulnerabilities will make themselves known.  Diseases, for example, don’t often announce themselves to us when they arrive.  That first malignant cell doesn’t set off warning bells.  Often, it’s not that first moment of infection that commands our attention.  Each day, today and tomorrow and tomorrows thereafter, hold within it the possibility that subterranean malevolence will make its way up to the surface of our lives. 

Friday, Oct. 21 was one of those days, when concealed malice made itself known.  On that day, hackers attacked major components of the internet’s infrastructure, temporarily bringing down dozens of major spaces and services, including Twitter, PayPal, Amazon Web Services.  We now know that part of the attack came through cybersecurity vulnerabilities in internet-connected webcams and DVRS.  And so another zero day is born from the unstoppable force of convergence between our physical and cyber worlds we are currently call the “internet of things.”

With the few months left in this year of seemingly weekly ransomware attacks targeting healthcare organizations, it would be foolish not to consider the implications for patients’ and provider organizations’ security when those attacks begin to target the medical “internet of things.” 

Earlier just this month (which, naturally, is Cybersecurity Awareness Month), CNBC reported that

Johnson & Johnson notified 114,000 diabetic patients that a hacker could exploit one of its insulin pumps, disabling the device or altering the dosage.

It was only some 13 months ago that

Cybersecurity experts Scott Erven and Mark Collao found a "very large unnamed US healthcare organization” with “some 12,000 staff and 3,000 physicians”  exposing more than “68,000 medical device systems.

Some “21 anesthesia, 488 cardiology, 67 nuclear medical, and 133 infusion systems, 31 pacemakers, 97 MRI scanners, and 323 picture archiving and communications gear” were exposed to potential hacking. 

Lynette Sherrill, deputy director of health information security in the Department of Veterans’ Affairs, describes the “advanced, persistent threat” medical devices represent to her organization’s cybersecurity threat posture.  In a recent interview, she described medical devices as “the weakest link we have on the network ... they can become a launching point for the rest of the network, if they are exploited,” describing medical devices, such as CT Scanners or MRI machines, not getting cybersecurity vulnerability patches with the same urgency as other systems on a health care organization’s network. 

The patient safety implications related to hacked medical devices are what keep Cathy Petrozinno, principal, cybersecurity partnerships and information privacy at the MITRE Corporation, and HIMSS Privacy & Security Committee member, worried at night and busy at work during the day.

But during a recent episode of HIMSS’s cybersecurity-focused podcast, Code Red™ entitled Medical Device Security in the Age of the “Internet of Things, Petrozinno warned healthcare leaders their own ignorance about the impact of the hidden cybersecurity vulnerabilities to their organizations network, through medical devices and other systems, truly is the biggest threat to their organization. 

The (cybersecurity) threat has changed quite a bit in the last 5 years, and some of the healthcare leaders have been slow to understand the changing threat and the full implication it has to their organization.  That is the biggest threat, the lack of awareness at the leadership level.  Nowadays we have adversaries who are bona fide criminals or worse.  They could be nation-state actors or even terrorist groups.  And this is their profession.  They make a living breaking into healthcare organizations, financial organizations, etc.  And like criminals, they are very good at breaking in, even through traditional defenses.  They are very hard to detect when they have broken in.  They may hang out for a while.  Often the consequences are fairly insignificant for them, even if they are caught…and these adversaries can be very disruptive in overt and covert ways.

As the 2016 HIMSS Cybersecurity survey indicates, 80% of respondents to the 2016 HIMSS Cybersecurity survey stated that they had a significant security incident in the last 12 months.  “Cynics would say the other 20% are just unaware that they have had a significant security incident,” Petrozinno interjects during her interview with HIMSS Code Red’s host, Rod Piechowski.

“How oft the sight of means to do ill deeds make deeds ill done,” Shakespeare tells us in A Winter’s Tale.  We are past the point of pretending this problem is going to go away, or get better just by wishing it so.

Joshua Corman, director of the Cyber Statecraft Initiative at the Atlantic Council, and founder of I Am the Cavalry, tell us that it is well past time to take the threat that medical device cybersecurity vulnerabilities represent to the healthcare industry seriously. 

"People who say 'oh but no one would ever do that' fail to understand on the internet, every sociopath is your next door neighbor.  I am increasingly uncomfortable relying on the kindness of strangers everywhere on the planet.  Assuming that no one would (hack a medical device) is naïve, and assuming that organizations are capable of stopping it is unmerited trust.” 

Ask yourself if you trust that your organization is capable of stopping the threat.  And consider your response carefully the next time a patient walks out your door with a pacemaker in their chest or an insulin pump at their side.



HIMSS; healthcare; health IT;