Hospitals: Get Well and Get Hacked

The Mayo Clinic recently assembled a team of the best and brightest in computer hackers. The all-star team was made up of, “about a dozen computer jocks, investigators from some of the biggest cybersecurity firms in the country, as well as the kind of hackers who draw crowds at conferences such as Black Hat and Def Con.” Billy Rios—a hacker who has worked with the Pentagon—was on the team and assumed it would be a typical job looking for computer bugs.
The Mayo Clinic had other ideas. The group of hackers was split into two teams and told to “Do your worst. Hack whatever you can.” Just like the wireless printers we have in our homes, “many medical devices today are networked, running standard operating systems and living on the Internet just as laptops and smartphones do. Like the rest of the Internet of Things—devices range from cars to garden sprinklers—they communicate with services, and many can be controlled remotely. As quickly became apparent to Rios and the others, hospital administrators have a lot of reasons to fear hackers.”

The teams of hackers spent a week looking for ways to gain access into, “magnetic resonance imaging scanners, ultrasound equipment, ventilators, electroconvulsive therapy machines, and dozens of other contraptions.” At the end of each day, the teams of hackers regrouped to analyze the damage done. Rios said, “Every day, it was like every device on the menu got crushed. It was all bad. Really, really bad. The teams didn’t have time to dive deeply into the vulnerabilities they found, partly because they found so many-defenseless operating systems, generic passwords that couldn’t be changed, and so on.”

The Mayo Clinic took the dismal results and decided that from now on, it would have strict security requirements for all of its medical device supplies. Each new device purchased would have to pass a rigorous set of standards before the Mayo Clinic would sign a contract for purchase. “Rios applauded the clinic, but he knew that only a few hospitals in the world had the resources and influence to pull that off.” The sad result is, that while the Mayo Clinic is leading the movement towards hospital cybersecurity, most hospitals throughout the nation are seriously behind, and patients could be seriously at risk.

Rios and other hackers have made it a personal mission to demonstrate the flaws and susceptibility of devices—but device makers are far from pleased about their efforts. “Such attacks angered device makers and hospital administrators, who say the staged hacks threatened to scare the public away from technologies that do far more good than harm. At an industry forum last year, a hospital IT administrator lost his temper, lashing out at Rios and other researchers for stoking hysteria when, in fact, not a single incident of patient harm has ever been attributed to lax cybersecurity in a medical device.”

While some device makers may be angry, analysts with TrapX Security firm based out of California, have begun helping hospitals with their cybersecurity programs. TrapX installed software in over 60 hospitals to help trace medical device hacks. The software creates decoy medical devices online that trick a hacker into thinking they’re actively hacking a real device when they are not. “After six months, TrapX concluded that all of the hospitals contained medical devices that had been infected by malware.”

Rios and other hackers have made device vulnerability their pet projects—drawing as much attention to the vulnerabilities as possible. Over 300 different devices from more than 40 different companies have been scrutinized. Their efforts have attracted the attention of the FDA, which has also started to take early steps to addressing the issue. The FDA also released a Hospira advisory in July of this year.

These early steps are important, but medical device vulnerability is far from resolved. As more hackers begin to take the time to investigate different devices, software, and networks, it is really only a matter of time before the issue becomes dire. However, this does create a whole new and important field of research for companies. There will certainly be innovation as companies and individuals develop products to combat cybersecurity flaws in hospitals.

At Apex Financial Advisors, we are always looking at innovation for investment. While medical cybersecurity technology is still in progress, there are numerous other opportunities that are important and potentially lucrative for investors. Call one of our experts today to discuss opportunities for your portfolio, and find new ways to grow and protect your wealth.