Play Live Radio
Next Up:
0:00
0:00
0:00 0:00
Available On Air Stations

Hospitals Are Encouraged To Do More To Avoid Medical Device Hacking

STEVE INSKEEP, HOST:

There's a problem when you deliver health care from a distance. Thanks to the Internet, medical scans are read miles from where they are taken. Drugs pumped into patients may be controlled from somewhere else. Many of these devices can be easily hacked. As Paul Flahive of Texas Public Radio reports, it's not a simple fix to secure those devices.

PAUL FLAHIVE, BYLINE: Jay Radcliffe was diagnosed with diabetes when he was 22. For a guy who as a toddler dismantled the doorknobs to see how they worked, the young hacker eventually figured out how to take over his own insulin pump...

(SOUNDBITE OF 2011 BLACK HAT CYBERSECURITY CONFERENCE)

JAY RADCLIFFE: You know, if the evil hacker hacked my pump in the crowd here, he could give me insulin right now without my authority.

FLAHIVE: ...Something he demonstrated at a cybersecurity conference in 2011.

RADCLIFFE: I wrote a program that was able to turn off the pump and change the therapy settings without the user knowing it.

FLAHIVE: Very few had shown how lax the security of these devices were back then. For years, device manufacturers assumed doctors and technicians would only be interested. Radcliffe says when hackers started approaching them with concerns, manufacturers weren't prepared. Some predicted it would take something dire before the situation improved.

(SOUNDBITE OF CYBERMED SUMMIT)

JOSH CORMAN: And I said, guys, I'm not going to lie to you. People will have to die first.

FLAHIVE: Josh Corman co-authored a 2017 congressional report on it.

(SOUNDBITE OF CYBERMED SUMMIT)

UNIDENTIFIED PERSON: Seventy-three-year-old male - he's got left-sided weakness, right-sided facial droop.

FLAHIVE: Doctors at the University of California San Diego participate in a simulation of a ransomware attack.

(SOUNDBITE OF CYBERMED SUMMIT)

RAHUL NENE: So we're going to start with a CAT scan of your head.

FLAHIVE: A CT scanner is suddenly taken offline by the mock attack.

(SOUNDBITE OF CYBERMED SUMMIT)

NENE: Oh, that's going to make things a little bit more difficult.

FLAHIVE: Dr. Christian Dameff narrates the scene to a couple hundred doctors, medical device manufacturers and cybersecurity professionals watching as part of the CyberMed Summit. There are no deaths linked to medical device hacking. But as the demonstration showed, we might not know if there was.

CHRISTIAN DAMEFF: Doctors and nurses don't know about it, and they're not looking for it. Hospitals do not have the security resources and expertise that they need to even detect some of these attacks. Device manufacturers have little incentive to do deep forensic analysis because it may result in a huge issue with them.

FLAHIVE: Dameff says the threat is less from individuals and more from rampant malware.

DAMEFF: And I don't think there's an army of psychopath hackers out there that are ready to do that. Instead, I think we have a far more boring but realistic threat.

FLAHIVE: Connected devices run from the human chest to the bedside with dozens in the average hospital room. And hospitals rarely have staff to ensure they're secure, says Adam Nunn, a security consultant with Clearwater Compliance.

ADAM NUNN: You remember the old cartoons where there's a dam and somebody is trying to plug the holes in the dam and just holes just keep opening up? That's kind of what it's like.

FLAHIVE: The Food and Drug Administration has increased the cybersecurity of devices being manufactured today. But it can't force hospitals to retire older insecure units. The FDA has gotten manufacturers to listen to hackers. Just this summer, they worked together to expose that more than a million drug infusion pumps could be taken over remotely.

That's a far cry from eight years ago, says the FDA's Suzanne Schwartz. Back then, security researchers felt they had to get on a stage...

SUZANNE SCHWARTZ: And do a live demo of a hack in order to get the attention and to get some action from the manufacturer. We're in a very, very different place now.

FLAHIVE: Radcliffe, who now works for a medical device company, says the risks are still outweighed by the reward with his insulin pump and many other connected devices.

RADCLIFFE: Yes, there's some risk. But ultimately, when I look at my health, you know, I can't not have these treatments.

FLAHIVE: Unlike a lot of patients in the U.S., he is doing it aware of those risks.

For NPR News, I'm Paul Flahive in San Antonio.

(SOUNDBITE OF MEDLOW BATH'S "ANATOLE") Transcript provided by NPR, Copyright NPR.

Paul Flahive is the technology and entrepreneurship reporter for Texas Public Radio. He has worked in public media across the country, from Iowa City and Chicago to Anchorage and San Antonio.