Veterans Administration and Hospitals Taking Steps to Prevent Hacking of Medical Devices and Wireless Systems

Clinical laboratories and anatomic pathology groups face a growing security threat to the integrity of their analyzers, laboratory information systems (LIS), and other devices used daily by their employees.

This rapidly-developing threat comes from outside hackers who are launching cyber-attacks aimed at the various medical devices and wireless systems that are directly connected to the Internet and are used by hospitals, physicians, and other healthcare providers. These cyber-attacks demonstrate a new vulnerability that clinical laboratories and pathology groups should recognize.

One high-profile healthcare system that regularly experiences such attacks is the Veterans Administration (VA). For two years, the VA has been fighting a cyber battle against illegal and unwanted intrusions into their medical devices—intrusions that range from simply annoying to costly and life threatening. These attacks have caused the VA to remove their wireless medical devices and certain other systems from direct Internet access.

After analyzing these cyber-attacks, the VA became so concerned that it moved a number of critical systems—ranging from picture archiving and communication systems (PACS), glucometers, and pharmacy dispensing cabinets—off of its primary hospital information system (HIS) and onto separated networks. This was done to prevent these systems from becoming infected should the HIS come under cyber-attack from an aggressive virus.

Cyber-Attack Directed at Bakersfield Hospital

Ronnie Ng, Senior Manager for Systems Engineering, Symantec and Mark Gasson, Ph.D., a Senior Research Fellow at the University of Reading’s School of Systems Engineering

(Left) Ronnie Ng, Senior Manager for Systems Engineering, Symantec and Mark Gasson, Ph.D., a Senior Research Fellow at the University of Reading’s School of Systems Engineering

Last year, despite being behind a firewall, and on a countywide anti-virus platform, a computer virus took out Bakersfield, California-based Kern Medical Center’s HIS. This sent workers scrambling for paper records to keep the healthcare flowing. The hospital believed it was protected from Internet attack until that cyber-attack penetrated its security.

A lapse of judgment by a single employee cost the hospital 16 days of agonizing recovery from a particularly vicious attack. The hackers stuffed porn into the hospital’s computers, forced hospital printers to continuously print until they ran out of paper, and eventually shut down a number of the Kern Medical Center’s systems.

Medical Laboratories Take Note: Wireless Devices are Particularly Vulnerable

Pathologists and clinical laboratory managers must recognize that an entirely new threat is created because of widespread use of wireless technology in healthcare. Besides gaining access to hospital information systems, viruses can now infect clinical monitoring devices and even surgically implanted electronic devices! Hackers can cause these devices to display incorrect readouts and even shut down completely. Cyber-attacks no longer just steal private medical records, they threaten lives.

In England, Mark Gasson, Ph.D., a Senior Research Fellow at the University of Reading’s School of Systems Engineering, proved that not only is it possible for a virus to wirelessly infect an implanted medical device, but that same compromised medical device can then go on to infect other systems by making wireless contact with them.

“Most medical devices have little if any security,” said Gasson in a ZDNet interview. “And as the technology develops, they will likely become vulnerable to attacks specific to that technology, and so we need to consider this as we develop the technology.”

“In a worst-case scenario, any infection or damage caused by malware could potentially negatively impact its user,” said Ronnie Ng, Senior Manager for Systems Engineering, Symantec, in the same interview. “As the functions of implants would vary from person to person, any impact would likely be localized. However, once that happens, damage to the brand and image of the institution could be severe.”

Are medical laboratories and pathology group practices becoming more vulnerable to cyber-attack? It seems likely. For one thing, the increased use of wireless devices by clinical laboratory couriers, for example, opens up one channel for a cyber-attack.

Also, over the past decade, in vitro diagnostic (IVD) manufacturers have given many of their diagnostic analyzers and laboratory automation systems the capability to maintain real-time Internet connections. This allows the manufacturers to remotely monitor the performance of these medical laboratory testing systems and conduct remote diagnostics of the analyzers’ components. But, these same Internet connections can also be used by hackers as an entry point to mount cyber-attacks on clinical laboratory testing systems.

As more and more clinical systems integrate with the Internet, the barrier to intrusions becomes thinner. Pathologists and clinical laboratory managers would be wise to investigate ways to proactively address this external threat to their laboratory organizations.

—Michael McBride

Related Information:

Cyberbattle: Providers Work to Protect Devices, Patients

Kern Medical Center Battling Virus

Lessons from A Security Breach

Could You Become Infected with a Computer Virus?

Humans May Also Be Infected with PC Viruses