Beyond the Surface: The Dark Truths of Aging Medical Devices

I’ve been wanting to write an article about this issue for ages, but life kept getting in the way. But hey, here I am, finally putting it down!

So, you know how it is – sometimes you come across new stuff or see things you’ve never seen before, and it just freaks you out. And in those moments, I’ve got this phrase I use: “new fear unlocked,” kinda like when you’re playing a game and you reach a new level or find new tools but in this situation it is a new fear.

Now, let me paint the picture for you: I’m done with work, hitting the gym, and tuning in to a podcast – “Darkness Diary,”(very very good, highly recommend it) to be exact. So, I’m listening to this episode (you can check it out here), and it triggers a whole new fear in me. I can’t exactly remember all the details, but it was about hacking medical devices and how this could impact a surgery, in the episode it had to do with eye surgery.

Think about it, you are getting a surgery – you’re already nervous about going under the knife: will you wake up okay from the anesthesia, or will the surgery itself go fine? But now, on top of all that, you’re also worrying about whether the equipment they’re using is outdated or even safe enough.

Did I just pass on some of that fear to you?

Because I’m not one to just back down when something scares me, I decided to dig a little deeper into this issue. My main goal? To understand the weak points of these aging medical devices and to figure out how hackers could actually use those weak points to mess things up.

What are medical devices and why are they usually outdated

According to the WHO, a medical device is a purpose-built tool employed in healthcare to diagnose, treat, or observe medical conditions. For example, an MRI machine uses powerful magnets and radio waves to generate detailed images of internal body structures, while a PET scan (positron emission tomography) creates visualizations of metabolic processes, aiding in disease detection and evaluation. They are basically all the equipment that you see when you go to a hospital. However, since individuals often don’t perceive them as tangible devices linked to a network with firmware, these devices frequently remain outdated and aren’t updated to counter the latest vulnerabilities. This situation renders them highly susceptible to exploitation by hackers.

But we do have to keep in mind that medical devices are equipped with firmware, which refers to embedded software responsible for controlling the device’s functions. Just as you would update the firmware on your office computer, it’s essential to update the firmware on medical devices to enhance their security and address potential vulnerabilities.

Given the critical importance of updating these devices, one might wonder why they aren’t more frequently updated. There are several reasons behind this, which I’ve summarized for you:

• Cost: The cost of updating medical devices can be high. Due to hospitals operating within constrained budgets, it might not hold the highest priority.
• Complexity: The process of updating medical devices can be complex. For example, some medical devices require specialized software and hardware to update. This can make the process time-consuming and error-prone. Consider the scenario where you’ve dedicated a solid 20 hours to meticulously updating a medical apparatus, only to find yourself unable to utilize it any further due to an unexpected glitch that occurred during the update procedure.
• Lack of support from the manufacturer: The manufacturer of a medical device may no longer provide support for older versions of the software. This can make it difficult or impossible to update the device. Similar to the situation where you aim to upgrade your iPhone 8 to the most recent version of iOS.
• Risks of updating: In some cases, the risks of updating a medical device may outweigh the benefits. For example, updating a device may introduce new vulnerabilities that could be exploited by cyber attackers.

What are the specific vulnerabilities of outdated medical devices?

Now that you’ve gained a better understanding of medical devices and the updating challenge, let’s delve into the vulnerabilities that arise from this situation.

• Outdated software: Many outdated medical devices are running on software that is no longer supported by the manufacturer. This means that there are no security patches available to address vulnerabilities in the software. For example, a 2021 study by the cybersecurity firm Forescout found that an average of 6.2 vulnerabilities were found in each medical device. These vulnerabilities could be exploited by cyber attackers to gain control of the device or to steal patient data.

• Weak passwords: Many outdated medical devices have weak or default passwords that are easily guessed by cyber attackers. For example, a 2020 study by the security firm Rapid7 found that 70% of medical devices had default passwords that were still in use. This makes it easy for cyber attackers to gain access to the device without having to know the actual password.

• Insecure communication: Many outdated medical devices communicate with other devices or networks over insecure protocols. This makes it easier for cyber attackers to intercept and manipulate data. For example, a 2022 report by the FBI found that many medical devices are still using the Simple Network Management Protocol (SNMP), which is a widely known and easy-to-exploit protocol.

Potential consequences of a cyberattack on outdated medical devices

These vulnerabilities can result in serious consequences for the hospitals to life-threatening consequences for the patients.

• Patient harm: Cyberattacks on medical devices can have a direct impact on patients. For example, an attacker could gain control of a pacemaker and change the heart rate, or they could inject a patient with a lethal dose of medication. In 2017, a cyberattack on the WannaCry ransomware infected over 200,000 computers worldwide, including some medical devices. The attack caused significant disruption to healthcare services, and it is believed that at least five patients died as a result of the attack.

• Data breaches: Cyberattacks on medical devices can also lead to data breaches. This can happen if an attacker gains access to the device’s memory or if they are able to intercept data that is being transmitted from the device. Data breaches can expose patient information, such as names, addresses, and medical records. This information can be used for identity theft, fraud, or other criminal activity. In 2018, a cyberattack on the MedStar Health healthcare system in the United States infected over 100,000 computers, including some medical devices. The attack caused the system to go offline for several days and disrupted patient care. The attack also exposed the personal information of over 1.5 million patients.
• Financial losses: Cyberattacks on medical devices can also lead to financial losses. For example, an attacker could disrupt the operations of a hospital or other healthcare organization, which could lead to lost revenue. They could also steal money from the organization or from patients. In 2019, a cyberattack on the Universal Health Services healthcare system in the United States caused the system to go offline for several days and disrupted patient care. The attack also cost the organization over $670 million in damages.

What measures can be taken?

Having witnessed the dire consequences of a cyber attack on outdated medical devices, what steps can be implemented to avert such risks?

To ensure the security of medical devices from potential cyber threats, healthcare organizations can follow a series of straightforward practices. Staying up-to-date with the latest security patches and updates is crucial, similar to installing essential updates on your computer to keep it running smoothly. Employing strong passwords adds an extra layer of protection, just like using a sturdy lock to secure your home. Organizations should also ensure that these passwords are regularly changed and kept confidential.

Furthermore, focusing on secure communication protocols is essential. Think of these protocols as secure tunnels that ensure sensitive information remains private as it’s transmitted. To enhance defenses, implementing tools like firewalls and intrusion detection systems is vital. Firewalls act as digital shields that prevent unauthorized access, while intrusion detection systems work like alarms, notifying administrators about any unusual activity.

Regular testing serves as a check-up for devices, ensuring they function correctly and aren’t susceptible to cyber attacks. Consider these tests as routine health exams for devices. Lastly, planning to replace outdated devices with more secure models is crucial. It’s similar to trading in an old smartphone for a new one with better features. These practices work cohesively, forming a comprehensive shield against cyber threats for medical devices.

Alright, now you might have a new concern sparked, just like it did for me. So, how about shifting your initial question to a surgeon? Instead of asking about the duration of the surgery, consider inquiring whether the medical devices being used have been updated with the latest software patches?

Sources:

Weiner, S. (2021, July 20). The growing threat of ransomware attacks on hospitals. AAMC. Retrieved from https://www.aamc.org/news/growing-threat-ransomware-attacks-hospitals

MedTech Dive. (2023, August 15). FBI warns of cyber risks from legacy medical devices. Retrieved from https://www.medtechdive.com/news/fbi-cyber-warning-legacy-devices/631935/

FBI. (2023, August 15). Unpatched, outdated medical devices raise cyber attack opportunities, affecting operational functions. Retrieved from https://industrialcyber.co/medical/fbi-says-unpatched-outdated-medical-devices-raise-cyber-attack-opportunities-affecting-operational-functions/

Secureworks. (2023, June 19). What you need to know: FDA updates to medical device cybersecurity. Retrieved from https://www.secureworks.com/blog/what-you-need-to-know-fda-updates-to-medical-device-cybersecurity