Skip Navigation

Smart Medical Devices Call For Smarter Cyber Security

Breakthroughs.KERA.org 31

As our devices get smarter, they also are at risk of more sophisticated cyber security attacks. Yes, that car connected to the internet makes tracking trips and monitoring teen drivers easier…but it also means killing the motor with a few keystrokes is no longer science fiction. Cars aren’t the only machines to showcase the opportunities and risks of wireless. Medical devices are increasingly connected as well. Which means they’re also increasingly vulnerable.

Giving a hospital patient drugs used to be so, analog.


The KERA radio story.

Nurse Brandi Crow says up until 20 or so years ago, she and other nurses counted drops or made calculations by hand to determine the correct rate and dose of IV fluid and medications. These days, so-called smart pumps determine the dosages of everything from antibiotics and pain medications to chemotherapy drugs.

“They’re wireless,” she says. “They’re on the hospital wireless network, you don’t think about anybody really breaching that. Why would they want to get into a medical device?”

Crow, an analyst with Dallas-based healthcare research company MD Buyline, says now hospitals are starting to realize the potential danger of smart infusion pumps.

“You’re worried about someone going in and getting out a patient’s medical history,” Crow says. “You can get patient information, you can get financial information, all kinds of things through that, so whether it’s malicious or not malicious you’re opening yourself up for considerable risk.”

At some high-tech hospitals, pharmacists can prescribe and set up pumps remotely. The risk associated with a hack have caught the attention of the Food and Drug Administration. Earlier this summer, for the first time, the FDA warned caregivers to stop using a specific infusion pump because of its vulnerability to hacking.

The pump singled out by the FDA is the Symbiq Infusion System, created by Hospira (now part of Pfizer) and is no longer in production. Hospira declined an interview with KERA, but in a statement said the company has designed “our next-generation infusion systems with enhanced network security protections in place.”

See Hospira’s answers to our questions here:

Hospira Response September 2015

Why Connect Pumps? 

There are good reasons for pumps to be wireless and connected to pharmacists, nurses and a patient’s medical record. For one thing, drug orders can be very complex: you have to get the dose, concentration, and flow rate right. Typing those in leaves room for serious errors.

Dan Pettus, Vice President of information technology with medical device company CareFusion says smart pumps make it possible to program and update that information remotely.

CareFusion's Alaris smart pump helps continuously or intermittently deliver fluids, medications, blood and blood products patients.

CareFusion

CareFusion’s Alaris smart pump helps continuously or intermittently deliver fluids, medications, blood and blood products patients.

“A connected system gives someone remotely the ability to view what’s happening at the patients’ bedside,” he says. “[It] could be very valuable for a pharmacist to check the order or a nurse, and that raises the bar for the efficiency and safety of these infusion devices.”

And it’s true, smart pumps can make patients safer. A 2004 study at Vanderbilt University Medical Center found CareFusion’s pumps helped prevent errors with the blood-clot drug heparin.

Increased safety is one reason the market for smart pumps is expected to grow to$3.6 billion by 2017, according to MD Buyline.

The Risks Of Overlooking Cyber Security 

Jay Radcliffe, a hacker and type 1 diabetic, knows the benefits and dangers of medical devices firsthand. In 2011, he hacked his own insulin pump, and was able to write a program to turn it on and off, even change the therapy settings.

“The battle is that technology moves a lot faster than the agencies do,” he says.

Jay Radcliffe, a diabetic researcher with cyber security company Rapid7.

©Tamara Kenyon Photography – http://tamarakenyon.com

Jay Radcliffe, a diabetic researcher with cyber security company Rapid7.

Radcliffe, who now works for cyber security company Rapid7, says many hospitals still use pumps that are ten years old – which he compares to using a Windows 95 computer for financial transactions.

“[Medical device makers] seem to be lagging behind,” says Marty Edwards. “They need to work towards fixing that.”

Edwards is Director of the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), at the Department of Homeland Security. His team works with researchers and device makers to address cyber security threats. He expects to see an rise in the number of medical devices that are flagged for vulnerabilities.

“This is an area that’s people are just starting to scratch the surface on from a research perspective,” he says.

Both Edwards and Radcliffe say there has been progress. Device makers are increasingly working with hackers rather than against them to identify and fix flaws.

Dan Pettus with CareFusion recognizes that even with the best software and encryption methods, companies still have to bring in so-called ‘white hat’ hackers to test the devices.

“And they will try everything under the sun to hack into that system,” Pettus says. “And you know what? They’re always going to find something because it’s an extremely complex ecosystem.”

Occasionally, what they find is a bad password. Seriously, hacker Jay Radcliffe, says hospitals sometimes purchase infusion pumps off the shelf and go with the default password. Still, he’s not overly concerned.

“There’s risk in everything we do,” Radcliffe says. “If I’m in a hospital and I’m in a life threatening situation and I need to be hooked up to a medical device, the risks of me dying far outweigh any minor risk of attack that could occur from a cyber security issue.”

As medical devices learn to talk to each other Radcliffe says it’s important we do too. Patients, hackers and hospitals have to be connected to stay ahead of new threats.