A non-profit organization focused on Internet security is looking to develop a set of benchmarks to protect medical devices from potentially fatal cyber attacks.
Officials with the Center for Internet Security (CIS) said the benchmarks would help device manufacturers and healthcare providers protect such devices as insulin pumps, pacemakers and defibrillators from being hacked or damaged by malware.
"The technological advancements that enable healthcare providers to embed life-saving devices and treat patients remotely are tremendous. We must do everything we can to protect those devices and the patients who rely on them," said William F. Pelgrin, CIS' president and CEO, in a recent 15 press release.
Rick Comeau, CIS' executive director of security benchmarks, said the 13-year-old, New York-based organization, which addresses cyber security and response in a number of industries, ramped up its efforts in the healthcare sector when the Food and Drug Administration issued an alert last June on device security.
"That really elevated things from hypothetical to a concern," he said.
At present, CIS has issued a request for information (RFI) to medical device makers to participate in the development of security control guidelines. The group hopes to post benchmarks for insulin infusion pump technologies by the end of the year, and add new benchmarks for other devices in time.
"We put insulin infusion pumps out there, but we could have put any type of life-saving device out there first," said Comeau. 'Our intention right now is to get their attention … and expand the pool of collaboration (and) find the synergies."
According to CIS officials, healthcare providers are beginning to routinely access implanted medical devices (IMDs) over the Internet, enabling them to manage the device and monitor and treat patients remotely. However, recent safety notices issued by the FDA and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) have pointed out that hardcoded password vulnerabilities have been found in as many as 300 medical devices.
"Cybersecurity threats and vulnerabilities continue to represent increasing concerns for medical devices," said Deborah Kobza, executive director of the National Health Information Sharing and Analysis Center, which is partnering with CIS in the initiative, in the press release. "The Center for Internet Security's initiative provides healthcare stakeholders with a defining voice to help protect medical device confidentiality, integrity and availability and public health safety. The National Health ISAC is excited to help support this important initiative."
The FDA's June 13 safety communication warned device makers, healthcare providers and everyone in between to put safeguards in place to prevent cyber attack.
“Many medical devices contain configurable embedded computer systems that can be vulnerable to cybersecurity breaches,” FDA officials wrote. “In addition, as medical devices are increasingly interconnected, via the Internet, hospital networks, other medical device and smartphones, there is an increased risk of cybersecurity breaches, which could affect how a medical device operates.”
While there are no known incidences of hacked medical devices, the hypothetical ramifications are well known. The Showtime cable series "Homeland" included a scenario last year in which the vice president of the United States was assassinated by a hacked pacemaker. That episode, and claims by well-known hackers that they could exploit implantable medical devices, prompted the FDA to issue a release to calm the fears of some 3 million people with pacemakers.
The FDA "is not aware of any patient injuries or deaths associated with these incidents, nor do we have any indication that any specific devices or systems in clinical use have been purposely targeted at this time," the release stated.
Nevertheless, at the HIMSS/Healthcare IT News Privacy & Security Forum last month in Boston, a panel of experts pointed out that while the Showtime episode amounts to little more than "a little bit of truth just covered by a lot of exaggeration," the need to develop security standards is strong.
The CIS initiative has already attracted one high-profile provider: Albany Medical Center in Albany, N.Y
"The medical community leverages technology to deliver top quality healthcare, research and education to our vast constituency, and the security of that technology is crucial," said George T. Hickman, the hospital's executive vice president and chief information officer, in a press release.
"I'm pleased to be a part of this collaborative effort to develop implementable guidance that will enhance the security of these devices," said Hickman, a former board chairman for HIMSS and current board chairman of the College of Health Information Management Executives (CHIME).
Comeau said several healthcare organizations expressed interest in the venture during a recent webcast, and he expects more to take part in future workshops. He emphasized that the benchmarks won't be mandatory, but they need to be "tangible and valuable" to take root in the industry.