IU Health Lab seeking collaborators to protect medical devices from cyberhacking
Cybersecurity in the healthcare space has long been about keeping digital patient records accessible to authorized professionals and no one else. The focus was on privacy—preventing identity theft, for example—which is certainly important, but patients’ lives weren’t necessarily at risk.
That began to change when the first medical devices were connected to the internet through Bluetooth in 2003. “The internet was built to share things fast and openly, but HIPAA and common sense require us to protect all of our data and devices from bad actors who are trying to make money or just cause chaos,” said Indiana University Health Director of Information Services Nick Sturgeon.
Today, every modern hospital operating room and patient room have multiple devices that are connected to the internet (or could be) for software updates and other legitimate, necessary procedures. Even devices such as the latest pacemakers that are implanted into the body could be vulnerable to cyberattack under the right circumstances. And while cybercrime is predicted to inflict staggering damages totaling up to $6 trillion globally by year’s end, the potential loss of life due to unprotected medical devices would be unconscionable if left unchecked.
To combat even the possibility of any cyberhacking vulnerabilities, Indiana University Health is testing medical devices in its state-of-the-art lab based at the 16 Tech innovation park in Indianapolis. Some of the most commonly relied upon devices including infusion pumps, blood pressure monitors and electrocardiogram (EKG) machines are currently under attack by IU Health’s Information Services “red team” led by Director Sturgeon.
The lab has real, functioning devices so that the testing is just like it would be in a hospital, but there is no danger of the equipment being in use with a patient. It’s not likely cybercriminals would be targeting medical devices to harm people. However, it’s highly likely they wouldn’t care who or how many people they harmed if it meant they could piggyback in through a medical device to gain access to a hospital’s files and hold them for ransom.
“We think like the bad guys and try to do everything they would do, but our red team is working to make everyone safer by identifying and eliminating any security gaps we find,” Nick said. The goal for the lab is to publish their findings in academic journals so that in addition to keeping IU Health patients safe from cyber criminals, the entire healthcare industry is better prepared to fight bad actors.
There are a variety of blame-game scenarios going on within the healthcare industry as to who needs to do more about medical device security. Some say the device manufacturers need to make their devices more secure. Some say the FDA needs to step in and take a firmer hand with the device manufacturers. And then there are the more cynical who expect it’s an issue that will be driven by the courts in the event of injuries or deaths linked to cyberhacking.
Saber rattling like that doesn’t really work for Nick.
“We could complain about vendors and suppliers not doing enough or the government not doing enough, and maybe there are things they could do as well, but I think the best way to drive change is by stepping forward and doing it,” Nick said. “I’m a pretty pragmatic person. See a problem; attack that problem head on. That’s the kind of place this lab is going to be.”
Nick explained that he is hoping to find collaborators at 16 Tech and in the business, technology and research communities in Central Indiana. “Whether it’s academic institutions, other health systems, independent researchers or possibly health tech companies, we want to collaborate where it makes sense to strengthen our fight against cybercrime,” Nick said. “Openness, transparency and collaboration in our research have been core values for this lab since its inception.”
He expects to have the first collaborations in place with research agreements after the first of the year, but says he plans to keep the lab agile and fluid based on where the research takes them. Over time, Nick hopes that his team’s efforts help spark a shift in the medical device industry making security less of an afterthought and more of a critical part of the development process.
Harvard’s Massachusetts General Hospital in Boston and the University of Michigan’s Archimedes Center for Healthcare and Device Security have similar labs, but the IU Health Lab is one of the first hospital systems in the nation to step out and acknowledge that change is necessary and call attention to the growing need for healthcare cybersecurity in general.
“I think actions speak louder than words and this lab is a big investment in doing everything we can to protect our patients,” Nick said. “Even from dangers we don’t yet know exist, but we’ll find them and prevent them from ever happening.”