The Security Risk Storm Is Here: Medical Device Threats Are Real and a Patient Safety Risk

A recent University of California survey found that a few delivery organizations and vendors believe 100 to 1,000 patients have had adverse events from compromised devices - and the threat will only persist. A recent study from the University of California Cyber Team found that a few healthcare delivery organizations and vendors believe between 100...

A recent University of California survey found that a few delivery organizations and vendors believe 100 to 1,000 patients have had adverse events from compromised devices - and the threat will only persist.

Medical device threats are real, risk to patient safety

A recent study from the University of California Cyber Team found that a few healthcare delivery organizations and vendors believe between 100 and 1,000 patients had adverse events from compromised devices.

It’s a staggering number, especially when compared to the 80 percent of survey respondents that report risks in medical devices are higher than what the Food and Drug Administration reports.

“There’s at least some self-reported evidence that some patients are being harmed by compromised medical devices,” said Christian Dameff, UC San Diego researcher and emergency room doctor at the HIMSS Media Security Forum in San Francisco on Tuesday.

[Also: Vulnerable devices are a reminder to create solid patch management policies]

Dameff, along with his colleague, Jeffrey Tully, UC Davis security researcher and pediatrician, outline a recent simulation of what happens when a patient’s medical device gets hacked.

The patient, represented by an actor, presented signs of chest pain to a team of nurses and doctors. The team went through normal procedures to treat the patient directly reflecting his symptoms. However, the ‘patient’s’ pacemaker was malfunctioning and routine attempts to use a magnet to fix the problem didn’t work.

As a result, the ‘patient’ kept dying and coming back to life because the hacked pacemaker kept shocking the patient at the wrong time.

What’s also concerning was the reaction from clinicians who took part in the simulation were completely unaware the device had been compromised, said Dameff. They were also asked if they would know what to do if a device was hacked, and all of them said ‘no.’ What’s more, none of the team had been trained in reacting to medical device hacks.

The point, Dameff said, is that while many have said these types of scenarios are relatively low, “the argument that something with a likelihood of being rare isn’t a reason to not address it.”

“The first time something like this actually happens will change the conversation entirely,” said Dameff. “We need talk about more than just devices -- also infrastructure. The risk is involved in every aspect of care. It’s important to be aware of the entire picture.”

“We rely on an incredible amount of technology to care for patients and trust the technology implicitly to care for our patients,” said Tully. “We’re afraid there’s a storm on the horizon -- and it may already be here. Healthcare cybersecurity is no longer really a compliance issue. It’s not only a protecting patient health information issue. Healthcare security is a patient safety issue.”

The next upcoming HIMSS Healthcare Security Forum is slated for Oct. 15-16 in Boston.

Source: m.healthcareitnews.com