| John Critelli
“Does anybody think you can’t hack a hospital? Because you can.”
That’s what Colin Morgan, information security officer at Johnson & Johnson, said at the “Internet of Medical Things” conference on July 29.
Morgan, the keynote speaker, addressed an audience of pharmaceutical professionals, security consultants, and related workers at the Chauncey Hotel and Conference Center, near Princeton.
Organized by the BioPharma Research Council, the conference featured speakers from organizations like Sage Bionetworks and the U.S. Food and Drug Administration (FDA), who gave the attendees a more in-depth look at medical devices and their security risks. Later in the day, Morgan and Miranda Alfonso-Williams, of the WAM Management Consulting Group (Princeton Junction), led a workshop for the attendees.
To illustrate his point, Morgan referred to a recent report by a security organization called TrapX. He explained that the organization had been “deploying some of their tools at a few different hospitals, and they found information that they didn’t expect to find. What they found was in each hospital there were a handful of medical devices that had malware running on them.”
He added that such malware might exist to spread to other systems or to steal data from the devices. “Now, what I don’t want you to think is that these are significant threats that tomorrow, ten people are going to get their pacemakers hacked and get killed, because that’s not true.” Although such attacks are theoretically possible, he said, security threats currently center around data collection.
Morgan said that data collection is often performed by foreign governments. “There have been a lot of federal government hacks over the past year, where they’re pilfering the information of federal employees,” he explained. Such hacks have made national news in recent months. He then added that “a lot of the threats come from countries like North Korea and China. China is very well known for sitting quietly, just gathering and doing reconnaissance and taking as much data as they can. So they’re data junkies, and if they can break in any systems and get your data, that’s what they’re going to do.”
Morgan explained the reasons for these vulnerabilities. “When you think about medical devices, they can have a lifetime of twenty years,” he said. That often leaves vulnerabilities in older devices, like those running on Windows XP. Morgan said that since Microsoft recently stopped supporting the operating system, “trying to move from Windows XP to the next version is something that could take years. It’s not easy to do.”
Additionally, Morgan said, existing regulations don’t address cybersecurity issues. He explained that the FDA “issued guidance around some of the cybersecurity recommendations last year, but there’s no regulation that says ‘you must do this.’ So when you talk to a developer or manufacturer in the space, and you talk about security, their first response is ‘we follow all the regulations.’ And then you remind them security’s not part of the regulations, and the light bulb goes off and they think ‘Oh, holy cow, you’re right. It’s not there. We should pay attention to this.'”
Vulnerabilities also arise due to hospitals’ growing record systems, according to Morgan. He explained that “the hospitals want as much data in there as they can. So they want that infusion pump, they want that cardiac distress monitor, they want that ultrasound equipment that’s a legacy technology—they want it connected to the hospital system tomorrow so they can get the data off it, so they can provide you better care.”
Devices built with open source technology can also give hackers an opportunity, Morgan said. He explained that “somewhere upwards of 80 percent of the issues in anything technology-related are because of open source—because of the free software that’s out there—and because of not providing updates and patches for these devices.”
Morgan noted that these vulnerabilities are currently being addressed by a variety of organizations. “Manufacturers are building programs to focus on this. Hospitals are starting to drive requirements around security when they purchase a product.”
He said that the Mayo Clinic, a large and influential medical practice based in Minnesota, is one of the leaders in setting requirements. And he told the audience that “if they’re going to buy a medical device from you, you need to provide some type of assurance from a cybersecurity standpoint that that device is protected. They’ll partner with you and make sure it’s brought up to the right standard.” He added that the Mayo Clinic’s approach is helping to change the industry as a whole.
Morgan added, “There are a lot of other organizations out there that have working groups to figure out how to, as a community, build this. Because what everyone sees as a threat is: If your company has one of these devices and gets hacked, it doesn’t just impact your company. It impacts the community as a whole.”
Still, he told his listeners, rushed or overly-restrictive regulations could pose a problem as well. He speculated that such regulations could come as a result of a major attack. “Now what we have to be careful of is what we call a ‘black swan’ event, which is some major catastrophe happening that drives regulation.” Morgan explained that a “black swan” event could be one of those unlikely—but possible—hacks that stop medical devices from functioning. He added, “We don’t want that to happen because then Congress will step in and drive some regulation … which creates obstacles and challenges for everybody.”