As our devices get smarter, they also are at risk of more sophisticated cyber security attacks.
Think about the cars connected to the internet that make tracking trips and monitoring teen drivers easier. On one hand, they help make our lives easier, but now shutting the motor down with a few keystrokes is no longer science fiction.
Cars aren’t the only machines to showcase the opportunities and risks of wireless. Medical devices are increasingly connected as well. Which means they’re also increasingly vulnerable.
Nurse Brandi Crow says up until 20 or so years ago, she and other nurses counted drops or made calculations by hand to determine the correct rate and dose of IV fluid and medications. These days, so-called “smart pumps” determine the dosages of everything from antibiotics and pain medications to chemotherapy drugs.
“They’re wireless,” she says. “They’re on the hospital wireless network, you don’t think about anybody really breaching that. Why would they want to get into a medical device?”
Crow, who is also an analyst with Dallas-based healthcare research company MD Buyline, says hospitals are now starting to realize the potential danger of smart infusion pumps.
“You’re worried about someone going in and getting out a patient’s medical history,” Crow says. “You can get patient information, you can get financial information, all kinds of things through that. So whether it’s malicious or not malicious, you’re opening yourself up for considerable risk.”
At some high-tech hospitals, pharmacists can prescribe and set up pumps remotely. The risks associated with a hack have caught the attention of the Food and Drug Administration. Earlier this summer, for the first time, the FDA warned caregivers to stop using a pump called Symbiq Infusion System, because of its vulnerability to hacking.
The Alaris smart pump, a device that helps deliver IV fluids and medication to patients.
The pump, created by Hospira (now part of Pfizer) is no longer in production. Hospira declined an interview with the reporter, but in a statement said the company has designed “our next-generation infusion systems with enhanced network security protections in place.”
That said, there are good reasons for pumps to be wireless and connected to pharmacists, nurses and a patient’s medical record. Drug orders can be very complex: You have to get the dose, concentration and flow rate right. Typing in that data leaves room for serious errors.
Dan Pettus, vice president of information technology with medical device company CareFusion, says smart pumps make it possible to program and update that information from any location, at any time.
“A connected system gives someone remotely the ability to view what’s happening at the patients’ bedside,” he says. “[It] could be very valuable for a pharmacist or a nurse to check the order, and that raises the bar for the efficiency and safety of these infusion devices.”
And it’s true — smart pumps can make patients safer. A 2004 study at Vanderbilt University Medical Center found CareFusion’s pumps helped prevent errors with the blood-clot drug heparin.
Increased safety is one reason the market for smart pumps is expected to grow to$3.6 billion by 2017, according to MD Buyline.
The Risks of Overlooking Cyber Security
Jay Radcliffe, a hacker and Type 1 diabetic, knows the benefits and dangers of medical devices first hand. In 2011, he hacked his own insulin pump and was able to write a program to turn it on and off, even change the therapy settings.
“The battle is that technology moves a lot faster than the agencies do,” he says.
Radcliffe now works for cyber security company Rapid7. He says many hospitals still use pumps that are 10 years old, which he compares to using a Windows 95 computer for financial transactions.
“[Medical device makers] seem to be lagging behind,” according to Marty Edwards, director of the Industrial Control Systems Cyber Emergency Response Team. “They need to work towards fixing that.”
Edwards and his team work with researchers and device makers to address cyber security threats. He expects to see an rise in the number of medical devices that are flagged for vulnerabilities.
“This is an area that’s people are just starting to scratch the surface on from a research perspective,” he says.
Both Edwards and Radcliffe say there has been progress though. Device makers are increasingly working with hackers rather than against them to identify and fix flaws.
CareFusion’s Pettus recognizes that even with the best software and encryption methods, companies still have to bring in so-called white-hat hackers to test the devices.
“And they will try everything under the sun to hack into that system,” Pettus says. “And you know what? They’re always going to find something, because it’s an extremely complex ecosystem.”
Occasionally, what they find is a bad password.
Radcliffe says hospitals sometimes purchase infusion pumps off the shelf and don’t change the default password. Still, he’s not overly concerned.
“There’s risk in everything we do,” Radcliffe says. “If I’m in a hospital, and I’m in a life-threatening situation, and I need to be hooked up to a medical device, the risks of me dying far outweigh any minor risk of attack that could occur from a cyber security issue.”
As medical devices learn to talk to each other, Radcliffe says it’s important we do, too. Patients, hackers and hospitals have to be connected to stay ahead of new threats.
There’s a lot happening in the world. Through it all, Marketplace is here for you.
You rely on Marketplace to break down the world’s events and tell you how it affects you in a fact-based, approachable way. We rely on your financial support to keep making that possible.
Your donation today powers the independent journalism that you rely on. For just $5/month, you can help sustain Marketplace so we can keep reporting on the things that matter to you.