Last Week in Tech Policy #57: Medjacking

(by Justin Manusov, Colorado Law 3L)

Hacking. Tapping. Cracking. Medjacking.

In the TV show Homeland episode Broken Hearts, a CIA informant  is forced to retrieve a serial number that corresponds to the American Vice President’s pacemaker. A terrorist gains access to the VP’s pacemaker, accelerates his heartbeat and induces a heart attack.

Former Vice President Dick Cheney revealed that when he had a device implanted to regulate his heartbeat in 2007, he had his doctors disable its wireless capabilities to prevent a possible assassination attempt.

The health IT community is beginning to take medjacking seriously.

Medjacking is the hijacking of biomedical devices to create backdoors into hospital networks. Hackers know that a hospital can have multiple networked medical devices per hospital bed, but not necessarily effective biomedical device security.  In the worst case, these technologies can enable hackers to use malware to hold data hostage, or change the data en route, creating an inaccurate view of the patient’s condition or the potential to harm patients. At the very least, they offer the risk of exposing private patient data that can be used for identity theft.

To complicate matters, many cybersecurity measures are not mandated, but simply recommended by federal guidelines:

Medical device manufacturers and health care facilities should take steps to ensure appropriate safeguards. Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity. They are responsible for putting appropriate mitigations in place to address patient safety risks and ensure proper device performance.

Hospitals and health care facilities should evaluate their network security and protect their hospital systems.

The FDA admits that all medical devices carry a certain amount of risk. But are we aware that that risk includes cybersecurity risks? Medical devices, like any other computer system can be vulnerable to security breaches and this vulnerability increases as medical devices are increasingly connected to the internet and hospital networks.

The FDA is not solely responsible for cybersecurity of medical devices. The FDA works closely with federal government agencies like the U.S. Department of Homeland Security (DHS), the private sector, and manufactures to increase security. However, the FDA doesn’t conduct premarket testing for medical product that use off-the-self security software—testing is the responsibility of the medical product manufacturer. Put simply, medical device manufacturers must comply with federal regulations called quality system regulations (QSRs) that require them to address all risks, including cybersecurity risks. The regulation provides only a framework and guidance, requiring manufacturers to use good judgment in developing safe medical devices.

Many hospitals are unaware of the cybersecurity risks associated with biomedical devices. The FDA doesn’t require a pre-market security assessment of vendor devices. Also, a post-market device doesn’t require a re-certification by the FDA. FDA guidelines make it the responsibility of the vendors to ensure their systems are secure.  

Companies like GreatBay offer services to secure biomedical devices. Traditional network security provisions (VLANs, firewalls, work access control, instruction detection/prevention system, data loss prevention) are necessary but remain insufficient. The company recommends avoiding infection with endpoint and IoT connection security:

  1. Identifying every device on the network and assigning it an identity in a profile;
  2. Monitoring the network to detect when any device is exhibiting uncharacteristic behavior;
  3. Onboarding every medical device security using critical factors in its profile; and
  4. Enforcing access restriction as needed to thwart an attempted breach.

Biomedical devices will have a profound beneficial impact on the quality of healthcare. While creating better outcomes for patients, these systems put hospital and clinic networks at risk for cyber-attack. It turns out that many hospitals aren’t even aware of this problem. So, the more consumers know, the better. And in the end, is more security just what the doctor ordered?