Cybersecurity in Hospitals: Protecting Electronic Patient Devices from the Risk of Hacking

By: William Brady and Emma Glazer
Friday, August 7, 2015

Almost every day there are reports of hackers breaching security protocols in banks, major chain stores and government offices to steal private, personal information. While these stories generally focus on the risk to one’s credit score and the prevalence of identity theft, little attention has been paid to the threats to electronic medical devices with wireless capabilities.

Recently, it was reported that three medical device manufacturers have produced devices susceptible to hacking. Hospira, Medtronic and St. Jude Medical Inc. manufacture electronic devices that operate on hospital wireless networks. These devices are popular because they can both receive instructions from nurses and physicians remotely, such as to increase a medication dosage, and also transmit data back to the internal hospital server.

In an October 2013 episode of 60 Minutes, former Vice President Dick Cheney revealed that due to assassination concerns in 2007, he disabled the wireless features on his pacemaker. Likewise, the popular Showtime drama Homeland featured an episode in which the fictional vice president was assassinated when terrorists hacked into his pacemaker and turned it off. In response to these concerns, the FDA released a statement that it was “not aware of any patient injuries or deaths” associated with hacking. Concurrently with that statement, the FDA requested that medical device manufacturers and facilities update their cybersecurity protections.

Recently, medical device hacking has returned to the spotlight following a report by security researcher Billy Rios. Rios announced that while prior investigations revealed vulnerabilities with the Hospira LifeCare PCA Infusion System that could modify medication maximum dosage alarms, new research indicates the actual dosage administered to a patient could be altered. Such vulnerabilities make the devices susceptible to fraudulent manipulation of medication doses by any individual on the hospital network, or even by a hacker over a wireless connection.

To date, Hospira has denied that such vulnerabilities exist. On June 10, the Department of Homeland Security, Industrial Control Systems Cyber Emergency Response Team, issued an advisory regarding the Hospira infusion pump’s security risks. Though Hospira is developing a new version of the pump that would prevent unauthorized changes to the medication dosage and unauthorized access to the device, the product is not yet on the market. Moreover, Hospira has not confirmed that the pump’s vulnerabilities can in fact be exploited, and hospitals may not be aware of the security risks they are unknowingly harboring. Given the public advisory, however, hospitals may be deemed on notice of the device flaw and could be held liable if a device is in fact hacked and a patient is administered a fatal or harmful dose of medication.

In order to prevent the risk of hacking, medical providers and facilities should ensure that all wireless pumps are placed on a secure network system, isolated from the wider Internet. Alternatively, the pumps can be connected to the hospital network with a wired connection. The first option is preferable for operational efficiency because those devices can still be monitored on the hospital network with remote medication dosing changes. On the other hand, a pump that is disconnected from the wireless system will have to be manually updated, requiring additional nursing or physician intervention, and increasing the risk of manual dosing entry error. Moreover, providers should update their cybersecurity software and increase monitoring of hospital networks for suspicious Internet activity.

As electronic medical devices become more prevalent, so too does the risk that hackers will exploit potential security flaws. Hospitals and device manufacturers alike must implement the appropriate security protocols to protect not only the private health information of their patients, but also those wireless devices administering lifesaving treatments to their patients.

William Brady is a Senior Partner at Martin Clearwater & Bell LLP. He focuses his practice on the defense of physicians, nurses and other medical professionals in medical malpractice cases.

Emma Glazer is an Associate at Martin Clearwater & Bell LLP. She focuses her practice on the defense of medical malpractice cases.