When medical device manufacturers think about cybersecurity risks, they often focus on deliberate hacking attempts: A terrorist harming people by sabotaging the code in an insulin pump or pacemaker, or a criminal organization using a medical device to pivot into the hospital network for a ransom attack or data theft.
The possibilities for direct, deliberate patient harm are certainly alarming and have been well documented by security researchers and “white-hat” hackers.1 The prospect of hackers using medical devices as a “weak link” to access hospital networks is also a genuine threat.2 But the biggest cybersecurity threat for medical devices isn’t a directly targeted attack. Statistically speaking, medical devices are much more likely to be impacted by commodity malware: The same rapidly propagating, indiscriminately targeted bits of malicious code that are the bane of every computer, cell phone and tablet user.
The Reproductive Cycle of Commodity Computer Viruses
By commodity malware, we mean malicious computer code that is designed to affect a specific library or software used across a wide range of devices (such as an operating system or a browser), not necessarily a particular device. Whereas a targeted attack requires a hacker to research a particular device for possible vulnerabilities and specifically target them, commodity malware is opportunistic. It continually makes copies of itself and searches for opportunities to infect any and all devices with which it comes in contact.
These types of viruses don’t know or care that they have infected a medical device. The device is just another vector that can now be used to infect other devices or networks it encounters. The ultimate goal is to infect as many machines as possible in order to open up security holes that can be exploited for other purposes later—often to steal data. Infection of the medical device is just collateral damage as the virus blindly seeks new targets.
Malware can propagate widely in this way, even to devices that are not directly connected to the internet. Viruses can spread to medical devices when they are connected to a laptop or thumb drive to upload patient data or when they connect to a network to get software updates. If any part of the “software ecosystem” that the medical device connects to, even periodically, is infected, malware can spread to the device itself. This is the same way that the Stuxnet virus is believed to have reached centrifuges used in Iran’s nuclear program: By indiscriminately copying itself onto devices throughout the world until it finally found its way to its target, possibly through an infected thumb drive plugged in to the secure network.3
How Malware Impacts Medical Devices
Attacks directly targeted at medical devices and mHealth apps can raise concerns about data privacy: Does the device store HIPAA-protected medical data or sensitive patient information such as social security numbers and birthdates? Is it connected to a billing system that might allow access to financial information? With commodity malware, data privacy is still a concern, but now you also have to worry about data integrity. Malice is not required for harm to occur; data corruption may occur simply as a side effect of other things the virus is doing in the system as it blindly follows its programming.
Malware can interact with a device’s code in unpredictable ways, even when the device itself is not the target. The malware may overwrite part of the operating system or lock up critical data that the medical device requires for operation, causing unexpected shutdowns or failures under certain conditions. It may cause the device to return bad data. Or it may change the data that the device uses to moderate its behavior. How dangerous or disruptive these code changes are depends on the robustness of the device, how critical the device is for patients or healthcare providers and exactly how the device’s behavior is changed. Imagine the following scenarios:
- A virus locks up the data that an insulin pump uses to determine how much insulin to deliver.
- A ventilator’s code now runs too slow due to the virus hogging system resources, causing it to behave erratically or shut itself off unexpectedly.
- The alert parameters for an mHealth app connected to monitor are modified, causing it to fail to send important alerts to the patient or doctor.
- A system interrupt is missed, causing a medical sensor to return misleading data, which a nurse relies on to make medication decisions.
- Malicious code erases data from a patient’s Electronic Health Record (EHR) or sends data to the wrong patient record.
These scenarios all present the possibility of real patient harm even though there was no malicious intent in the code. In some cases, the data corruption may be obvious: If the device returns nonsensical data, or simply no data at all, fail-safes in the device or the common sense of the patient or healthcare practitioner are likely to prevent the data from being used in a way that could cause harm. However, if the effects of infected devices are more subtle (e.g., data used for diagnostic purposes is 10% higher or lower than the actual value, a false negative is returned, or an alarm fails to sound), they may be overlooked. In these cases, bad data can lead to significant negative consequences for patients.