October 5, 2016
Inoculating Against a Cyber Attack
By Rachel Ansley
“The risks of connected medical devices can be anywhere on a spectrum: from almost none to life and death,” said Woods. He added: “Capabilities that can save lives in the hands of a trained physician, can end life if used inexpertly or if their integrity is compromised by an intentional adversary or indiscriminate accident.”
On October 5, Johnson & Johnson issued a warning to patients that the OneTouch Ping insulin pump systems are vulnerable to a cyber hack that could overdose diabetic patients with insulin.
“It’s not that someone believes that these devices are perfect or infallible, but when you know that they must fail, [ensure that they] fail in a way that’s visible and that doesn’t put patient safety at risk,” said Woods.
The vulnerability was discovered by the cybersecurity researcher Jay Radcliffe, who works for the firm Rapid7, which then informed Johnson & Johnson of its findings. Woods said “the collaboration between medical device manufacturers and security researchers is incredibly beneficial to help ensure that patient safety and public trust are preserved.”
In August, cybersecurity research firm MedSec Holdings and short seller Muddy Waters claimed that St. Jude Medical’s implantable pacemakers and defibrillators were vulnerable to cyberattacks. St. Jude’s has refuted this claim.
Woods stressed the need for collaboration between security researchers, care providers, and patients, as well as the importance of benevolent intent. He and Joshua Corman, director of the Cyber Statecraft Initiative, are involved in the I Am The Cavalry (.org) movement which released a Hippocratic Oath for Connected Medical Devices.
Beau Woods spoke in a phone interview with the New Atlanticist’s Rachel Ansley. Here are excerpts from our interview.
Q: What is the risk associated with medical devices that are susceptible to cyber attacks?
Woods: The risks of connected medical devices can be anywhere on a spectrum: from almost none to life and death. Capabilities that can save lives in the hands of a trained physician, can end life if used inexpertly or if their integrity is compromised by an intentional adversary or indiscriminant accident.
In [the Johnson & Johnson insulin pump] case, a researcher found a security flaw in the device itself, worked very closely with the manufacturer, who was very responsive and who proactively addressed the issue, issued a notification to patients to let them know what to be aware of, and is working on taking care of those types of issues in their design lifecycle.
Q: Has an individual’s medical device ever been hacked?
Woods: I often get asked whether or not anyone has actually died of a hacking accident, and usually we say no, we don’t know of a confirmed case, but the reality is we don’t really know because most of the devices don’t have the capability to track what’s happened. When they do, those records are generally not secured in a way that could prevent hackers from deleting them. Even if they are secure, oftentimes physicians and hospitals don’t think to look for some evidence of malicious tampering. So the real answer is that we don’t really know right now.
I suspect that there have probably been a few cases where malicious software has caused harm, but it’s probably not been targeted and intentional. Yet. For instance, Hollywood Presbyterian Medical Center was shut down or had to divert patients away [in February] because of malicious software on one of its electronic medical record systems. It wasn’t that somebody was targeting a hospital, or even that hospital, or even electronic medical records systems, but the common software components that are used in medical device systems and electronic healthcare systems are also present in web servers and in desktops. In the case of Hollywood Presbyterian, the flaw that was exploited was known about for several years, and it went unfixed in that particular system, even though it had been fixed in some of the desktops and some of the web servers. The collaboration between medical device manufacturers and security researchers is incredibly beneficial to help ensure that these types of things don’t happen in the future.
Q: In August, it was claimed that St. Jude’s pacemakers and defibrillators had cybersecurity flaws. The discovery about One Touch Ping’s insulin pumps makes this the second high profile instance where medical devices have been found vulnerable to cyber hacking in the last few months. More than 114,000 insulin pumps have been sold. What can patients who have these pumps do to protect themselves?
Woods: In general, when patients are deciding on the best course of treatment with their physicians, then the patients and the physicians can decide on that together. Patients can ask about cybersecurity capabilities in place, they can ask whether or not these devices have been tested.
The physicians should also ask the medical device makers, the hospitals that they work for, and whoever else is involved in the chain of care delivery. In January, Josh [Corman] and myself, through our volunteer grassroots initiative called I Am The Cavalry, released a Hippocratic Oath for Connected Medical Devices. It translates the spirit of the Hippocratic Oath for physicians to medical devices and others in the chain of care delivery, the idea being that as a physician takes a symbolic oath to act in the best interest of their patients, increasingly, medical devices are the instruments of that care delivery. It makes sense that the medical devices should also be designed, installed, implemented, used, and maintained with that same spirit of care. The Hippocratic Oath for Connected Medical Devices is a set of five statements that medical device makers can attest to and then demonstrate how they uphold those [statements]. It basically comes down to what is your ready posture toward failure that may result in patient harm. The five are: How do you anticipate and avoid failure? How do you take help avoiding failure? How do you instrument and learn from failure? How do you ensure that failure does not cause harm? How do you inoculate against future failure?
The coordination between Rapid7, the researcher, and the medical device maker sets a gold standard and is a counterpoint to the issue with Muddy Waters, MedSec, and St. Jude’s, where Muddy Waters and MedSec didn’t give any warning to any parties before going public with their findings. On the other hand, Rapid7 and Jay Radcliffe [a senior security consultant at Rapid7] worked for months and months and months in close cooperation with Johnson & Johnson to make sure that patient safety was first and foremost the top priority on everyone’s minds. I think the way that it’s phrased really well can be seen on I Am the Cavalry’s Position on Disclosure: “those concerned with public safety and human life should take sufficient care to avoid inadvertently putting them at risk.”
Q: With that idea of inoculating against known problems, do you think that the patients using these pumps need to get new devices?
Woods: That’s a patient-care decision. The patients should consult with their physicians on what the best course of treatment is for them. In some cases, the patient may wish to get a new device, in some cases they may wish to do without the device, [opting for] manual doses of insulin, the way that the security researcher [Radcliffe] has chosen to do because of his preferences. They may be able to take certain other actions like turning off some features that expose them to greater harm, what we call elective complexity, elective risk. A lot of the things that the patients can do in this specific case are outlined in the patient safety communications that were sent from Johnson & Johnson to all the patients. There are also some steps that the company Rapid7 outlined in their disclosure statement. Why is this type of collaboration so critical in protecting patient safety? Because at the end of the day, it’s all about patients.
Q: Brian Levy, the chief medical officer of Johnson & Johnson’s diabetes-case business, claimed that the risk of hacking for patients who currently own these devices is “minimal.” Can we say with conviction that this threat is minimal?
Woods: Based on what I know, I would say that the threat is minimal. [Radcliffe] said the sophistication needed to pull off this type of a hack is actually very, very high. It’s not just anyone who can do it. However, the threat adversary is always increasing. If you look at the capabilities that only nation states could possess ten years ago, today [they] are freely downloadable from the Internet and anyone can have them in many cases.
It’s important to be vigilant, to continue to improve. Ten years from now, the threat landscape will have changed. It’s an always-evolving type of situation. For the moment, the vulnerability discovered by Rapid 7 is unlikely to cause harm to most patients. In consultation with your medical professional you can take certain choices and make certain trade offs on how to use the pump more safely or how to go off of it altogether, if that’s your choice.
Rachel Ansley is an editorial assistant at the Atlantic Council.