Connected medical devices do pose security risks, but the nightmare scenario of a hacked pacemaker being used for an assassination is not top-of-mind for the executives in charge of security at major health systems. At the HIMSS Privacy and Security Forum yesterday, executives from the Mayo Clinic, UPMC, and Partners Healthcare discussed medical device security on a panel moderated by Healthcare IT News Editor Tom Sullivan.
“Nobody’s figured out quite how to monetize direct-to-patient harm,” Kevin MacDonald, director of clinical information security at the Mayo Clinic, said. “That may be coming up. We never thought we’d see ransomware five or ten years ago. And we have patients who are of great geopolitical importance — there’s always a ‘not on my watch’ for those guys and we still have to be wary of that. But for your average patient, we aren’t too worried.”
Rick Hampton, wireless communications manager at Partners, echoed these sentiments, adding that his job is to assess the threats that pose the greatest risk.
“A couple of years ago, Dick Cheney had the wireless connection turned off on his pacemaker, and I think he’s the only person I know of that really needed to do that,” Hampton said. “The average person is not going to be targeted. I don’t lose any sleep over assassinations. It’s possible, just like it’s possible for an asteroid to strike in the middle of this conference. We’re really great at coming up with examples of how things can be hacked and how someone could be harmed. What we’re really terrible at is putting that in context of what is realistic, what is a real risk.”
John Houston, vice president of privacy and information security at UPMC, said that medical devices are mostly a hacking risk not because of the potential of assassination, but because they tend to have a longer life cycle then other connected devices so their operating systems more quickly become outdated and therefore vulnerable. If they are connected to the rest of a hospital’s network, then this can become a vulnerability for the whole system.
“There’s a lot of manufacturers starting to come up with embedded cellular communication technology,” Houston said. “Some of that’s in-home and some of it’s used within a hospital setting. It does challenge your security models, because no longer can you micro-segment that equipment, because it’s coming in with its own communication pathway.”
Hospitals mostly manage device security through rigorous rules about security of devices they purchase. But in the current age of BYOD for both doctors and patients, as well as heavy volume of acquisitions for big health systems, that’s just not enough, Hampton said.
“The thing that scares me the most isn’t the devices from large medical device manufacturers,” he added. “It’s that doctors want to use consumer grade devices to do things. They want to track fitness levels with any number of devices you can buy for $19.95 at Kmart. And there’s a bunch of issues with that. But I guarantee you there’s no one making a consumer grade device that doesn’t connect … with every other Bluetooth device it can find.”
In general, Hampton said, hospital information security is an uphill battle, and other parts of the health system — including innovators looking to add connectivity into the system — have to be aware of the risks.
“Anything we build can be hacked,” he said. “We’ll never ever be able to absolutely secure it. So with the increasing demand to put more and more stuff on our network, at some point in time we’ve got to sit down and ask ‘Do we really need this thing connected to our network? Really?’”