Jeff Tully, MD, pediatrician, anesthesiologist and security researcher affiliated with University of California Davis Medical Center, has extensive expertise in medical device cybersecurity.
Dr. Tully's research, along with his colleague Christian Dameff, MD, a clinical informatics fellow at UC San Diego, focuses on best prevention methods for medical device cyberattacks and preparing hospitals with proper cyber hygiene.
Here, Dr. Tully discusses motivations behind medical device cyberattacks and what devices present the greatest vulnerabilities.
Editor's note: Responses have been lightly edited for clarity and length.
Question: Why would someone want to hack a medical device?
Dr. Jeff Tully: The motivations for hacking can be pretty complex and multifactorial. Some people and organizations obviously work for profit, and there are those out there who are just kind of mischief breakers. There are also people who are looking at certain political or economic objectives. My favorite type of hackers are the 'good guy' hackers, or the security researchers who make the system stronger by actually discovering and then fixing vulnerabilities. These people work on medical devices to advocate and improve patients' safety.
The thing that I find most interesting and potentially concerning is when you have indiscriminate attacks and exploits that affect common operating systems or architectures. Some of these medical devices that we talk about, such as legacy equipment running super old operating systems that may have software or firmware as part of the package of that device, are known to be vulnerable, so when you have attack vectors that are very indiscriminate in what they're looking after you can sometimes have attacks that aren't really aware that they're affecting medical devices. A good example of that was the WannaCry malware attack that affected more than 80 hospitals in the United Kingdom's National Health Service back in 2017. That was a malware that exploited a windows operating system vulnerability and it didn't know to stop at the digital border of a hospital, and as a result there was a widespread disruption of services, so that is more than just the individual motivations of a particular hacker. That's something that we think about a lot is that these systems are inherently vulnerable based on their components, and so people may not even be looking to target medical devices, but they may be ultimately affected.
Q: What types of medical devices are most vulnerable to cyberattacks?
JT: It is helpful to think about this in terms of risk. The FDA is one of the major regulators of these devices and it has some solid premarket cybersecurity guidance for vendors in terms of how they can best design their systems secure for cyberattacks. They define risk as far as tiers go. They say that Tier 1 higher cybersecurity risk is a device that can connect either wired or wirelessly to other medical devices, a nonmedical product, network or to the internet. Tier 1 is also defined as a cybersecurity incident that affects these devices which could directly result in patient harm to people that are making use of it. These are the things that you think about commonly that are in hospitals such as infusion pumps, potentially some of the diagnostic equipment that we use like imaging scanners, implantable medical devices, which are obviously becoming more and more popular and are great tools to improve the care of patients, and things like insulin pumps or pacemakers. With all these devices, the key element is that they're connecting to other systems. Primarily that's a design feature to ensure that physicians and other clinicians can get data or monitor patients from afar to provide some additional functionality that we didn't have in the past. All of that is fantastic, but that element of connecting them to other devices or networks is what creates that potential vulnerability.
Q: How are device companies incorporating cybersecurity defenses into their products?
JT: There are lots of good resources out there for device companies that are looking to design secure devices. In addition to the FDA's pre- and post-market guidance for designing trustworthy devices, things like authentication processes and cybersecurity bill of materials can be helpful. The cybersecurity bill of materials, or a software or hardware bill of materials, is a sort of recipe of all the individual software libraries or firmware architectures that went into designing a device. A hospital can use these bills when it is looking for a new device to add to its collection.
Q: What type of cyber incident response plan should a hospital implement to protect against cyberattacks on medical devices?
JT: Myself and my research colleague Dr. Christian Dameff are trying to develop answers to these questions. When it comes down to what can we really do to protect against these types of events, I think the first point is, with everything else in medicine, an ounce of prevention is worth a pound of cure. So, your basic cybersecurity hygiene practices and ensuring that those are something that all your staff members and clinicians are routinely trained on. You can have the world's most secure medical device that's really solid from a design standpoint, but if it's implemented in a fashion with the end user that is not secure, or they disabled functionality or they have it on a flat network that's not encrypted, these types of things make it difficult. You're sort of at a disadvantage before you even start taking care of patients. So, basic cybersecurity hygiene is very important. Having the ability to have a forensic side of your IT operations to be able to both monitor for abnormal behavior but then also once that happens to be able to quantify what's going on and learn about it as opposed to just switching it out for the next medical devices in the roster is also very important.