This content is part of the Conference Coverage: RSNA 2017 conference coverage and analysis

Medical device cybersecurity critical for patient safety

At RSNA 2017, an expert warns that insecurity of medical devices, including imaging hardware, threatens patient safety. A security director tells how Mayo Clinic protects devices.

CHICAGO -- Healthcare providers, awakened to the need for cybersecurity, are locking down protected health data, but now pervasive medical device cybersecurity weaknesses are posing potentially lethal threats to patient safety.

At the RSNA 2017 medical imaging conference, a health IT and radiology expert warned of what he said is a general obliviousness to medical device cybersecurity among many vendors, and providers.

"Our patients' health ... not just their information, but their actual health, is likely to be at risk in the near future," said Jim Whitfill, M.D., during a cybersecurity panel at the 103rd Scientific Assembly and Annual Meeting of the Radiological Society of North America. "We are woefully unprepared to manage this," said Whitfill, a radiologist and chief medical officer at Innovation Care Partners, a physician-led accountable care organization in Scottsdale, Ariz.

Radiology not immune

Whitfill noted that radiologists and radiology organizations have not been spared from the waves of cybersecurity attacks on healthcare providers or from massive health data breaches in recent years that crescendoed in early 2017 with volleys of ransomware strikes that shut down hospitals.

"It's clear that there are many examples for those of us in radiology that we're just as guilty, just as human as everybody else," Whitfill said.

Meanwhile, the cybersecurity landscape in healthcare is changing, he said, from theft of people's valuable financial data included in health records -- to sell on the black market -- to extortion-motivated attacks such as ransomware that could directly harm patients.

Jim Whitfill, M.D., speaks at RSNA 2017
Jim Whitfill, M.D., chief medical officer, Innovation Care Partners

Dangerous ransomware attack

Whitfill cited the infamous "WannaCry" ransomware attacks that crippled the United Kingdom's National Health Service as an example of patients actually being endangered. Hospitals had to revert to paper charts in emergency departments, which saw traffic drop dramatically, nearly to a standstill in some cases.

"They obviously had to cancel all these surgeries," Whitfill said. "There were transplant patients that could not get the transplants. If I can't get my Botox treatment, that's not a tragedy. But if a patient is waiting for a kidney transplant, or a heart transplant, or a liver transplant and those people are going to die if they wait another 24 hours, that's a real threat to their health, that's not somebody's inconvenience."

Indeed, Kevin McDonald, a medical device cybersecurity expert who appeared with Whitfill at the RSNA 2017 session, confirmed the substance of Whitfill's warnings about the potential for hackers to exploit connected devices in healthcare settings.

Internet of medical things security

McDonald, director of clinical information security at the Mayo Clinic, heads a team of 12 dedicated solely to internet of things issues at what is widely considered one of the best healthcare systems in the U.S.

In 2017, McDonald's group conducted cybersecurity assessments on about 500 medical devices and 50 security penetration tests that included physically taking apart devices.

For vendors, security is usually an afterthought. Many of them are naïve, or clueless. There is little security by design.
Kevin McDonalddirector of clinical information security, Mayo Clinic

Cyberattacks on health systems and their devices are so frequent, numerous and ubiquitous (and often automated) that "we're way past relying on firewalls," McDonald said. "Antivirus no longer works."

"You cannot build a big enough, deep enough moat anymore," he said.

McDonald said more than 7,000 companies are manufacturing products for what he called the "internet of medical devices." The mean number of devices per bed in hospitals is 13, he said "so there's a huge amount of contact patients have with this."

Device security lacking among vendors

Meanwhile, many hospitals can't afford to spend the money to secure their IT systems or devices, even as federal agencies and private sector cybersecurity experts continually call the lack of medical device cybersecurity a major problem.

"For vendors, security is usually an afterthought," McDonald asserted. "Many of them are naïve, or clueless. There is little security by design and there's a massive legacy device security debt."

Another problem is a severe shortage of qualified cybersecurity engineers on the market.

Some device vendors, however, are trying hard, if belatedly, to pay attention to cybersecurity, placing more importance on building security into devices such as infusion pumps, electronic bedside monitors and devices that inject contrast dye for radiology imaging, he said. Many device manufacturers also are now writing software to protect products.

Device security problems

But medical device cybersecurity problems within radiology and other specialties remain widespread, McDonald said, and include:

  • lack of vendor security support for customers;
  • bad or no device encryption;
  • devices shipped with default passwords that have not been removed, and source code that can be found on vendor websites;
  • poor identity proofing;
  • devices that use older, nonupgraded operating systems; and
  • inability to patch devices with security upgrades other than by interrupting patient care and going device by device with outdated serial cables.

"A lot of these have open vulnerabilities," McDonald said.

At Mayo, McDonald's group spends a lot of time thinking about how to reduce risk on a large-scale basis and has integrated itself into the larger healthcare system's capital equipment purchasing process to ensure funding for its work.

Advice from hospital cybersecurity expert

McDonald's counsel for his counterparts in other providers' IT and IT security departments:

"You're going to have to figure out what your standards are, set some minimum requirements, start looking at new purchases," he said. "You're going to have to work with your supply chain and do things differently there. With your vendors, you're going to have to require some remediations."

"But none of this works unless you have a comprehensive security program," McDonald said.

Dig Deeper on Electronic health records security compliance