San Diego cyber security expert Ted Harrington with Independent Security Evaluators invited us to his Downtown office to see how quickly and easily he and his colleagues demonstrate successful hacks of modern medical devices. Medical devices like pacemakers and patient monitors are some of the newest vulnerabilities to cyber attack in the healthcare industry.
The threat hits home. According to the California Life Sciences Association, the state has more medical device jobs that anywhere in the nation, with 74,000 employees. A total of 7,700 of them are based in San Diego.
San Diego is a city that’s no stranger to malicious software or “malware” assaults on the medical sector. Last year, the 306-bed Alvarado Medical Center had its computer system affected by what it called a “malware disruption”. The hospital briefly considered doing an on-camera interview with us about the security changes that have been implemented since the incident, but then it backed out.
The hospital spokesperson cited in part, “A careless slip during an interview can reveal possible [vulnerabilities] in our ‘armor’ that a hacker can take advantage of.”
Also last year, nearby Hollywood Presbyterian Medical Center made headlines when it paid a $17,000 ransom to the hacker who froze its computer system for several days.
“Healthcare is attacked more than any other industry because that’s where the money is,” writes prominent cybersecurity company Sophos in its SophosLabs 2018 Malware Forecast report.
A records check on the U.S. Department of Health and Human Services’ Office of Civil Rights website shows a total of thirteen California healthcare facilities that are currently under investigation for reported hacks.
Now, the threat to patient privacy could be challenged by a threat to patient safety.
Harrington and his team connected my finger to a sensor that was attached to a patient monitor. My healthy vitals were displayed on the patient monitor screen and on the screen representing a nurse’s computer.
In a real-world setting, that nurse’s computer would be in a different room from the patient and his or her monitor. 10News Reporter Jennifer Kastner was asked to remove my finger from the sensor, to make it look like she was flat-lining, but Harrington and his team hacked the nurse’s computer in seconds to make the nurse’s computer show that she was still healthy.
He and his team also showed us they could hack a patient’s displayed blood type.
“If the physician thinks the patient is a certain blood type and orders a transfusion of a different blood type, that directly hurts the patient. It would most likely result in a fatality,” says Harrington.
In October, the FBI put out a warning about the growing concern over cyber criminals targeting unsecured “Internet of Things (IoT)” devices, including medical devices like wireless heart monitors and insulin dispensers.
Years ago, it was reported that former Vice President Dick Cheney had his pacemaker altered to prevent an assassination attempt.
“We can’t bury our heads in the sand anymore. These types of medical cybersecurity vulnerabilities are going to become commonplace,” says Dr. Christian Dameff with UC San Diego Emergency Medicine.
Dameff is also a self-described hacker. Despite the FDA’s claim that there aren’t any known cases of patients’ devices getting hacked, Dameff believes attacks have happened and they were likely accidental, but never got reported.
“These devices in our systems are not well equipped to even discover these types of attacks,” he said. “It’s essentially like asking a toaster to figure out if your house has been hacked. They’re just not designed to find out.”
The experts we spoke to want to make it clear that while there’s a threat of cyber attacks on medical devices, the likelihood of it happening to the average patient is low. They urge people to stay mindful of the risks and talk to their healthcare providers about solutions.