Doctors — particularly the ones that work in emergency rooms — need to have strong stomachs and level heads, since they see illness and injury at their most serious. Violence, accidents and serious diseases are all a matter of routine in the ER.
Dr. Christian Dameff is a faculty member at UC San Diego’s medical school, has seen all of that and more, since he’s also a white-hat hacker and expert in medical IoT security. He warned the audience on Thursday at the Security of Things USA convention in San Diego that the state of that security is, frankly, alarming.
Technology is a central underpinning of all modern medical treatment, according to Dameff. Many younger doctors have never worked with paper charts, or written paper prescriptions, or looked at x-rays on a lightbox – it’s all digital.
“Software powers modern healthcare. It is as essential as antibiotics, x-rays and surgery combined.” he said. “Without our technical systems, doctors today are essentially helpless for taking care of strokes, heart attacks and traumas.”
There are two central issues, according to Dameff. Part of the problem is that the emphasis on security discussions in the medical field focus heavily on data security, mostly for regulatory reasons.
“When we talk about information security in healthcare, we talk about the HIPAA hammer,” he said, “because the fear of a HIPAA fine, and the fact that we have hundreds of data breaches every single year, has made this the focal point of your conversation.”
But a bigger issue is that the connected devices used to automate and speed up the tasks of care required by modern medicine are cripplingly, astonishingly vulnerable to compromise by outside agents.
The problem has existed for a long time, Dameff said, but the 2011 story of Jay Radcliffe, a diabetic security expert who discovered that a connected insulin pump he used was trivially easy to hack, helped bring the scale of the problem to the public’s attention.
“What surrounds the patient are dozens of wirelessly connected devices that are running legacy operating systems, that are unpatched, that have hard-coded credentials you can Google – that are controlling potent medications being infused into this patient that, if miscalculated or altered, can cause this patient to die. That is the state of modern healthcare IoT. We need to change it.”
Device makers need to work with doctors directly, Dameff argued, in order to usher in a newly holistic approach to the creation of medical IoT gear.
“Have them help you identify points of your product that, if it should fail, would result in patient harm, not just a compromise of their medical health information,” he said.”
Nor are connected devices the only way that poor security affects hospitals. Aging, unpatched IT systems are vulnerable to a huge array of known hacks, and notorious attacks like WannaCry can knock whole systems full of hospitals with custom hardware offline.
For the everyday user, this is a headache, but for a healthcare provider, it’s a much more serious issue. Ransomware and denial of service kill people, Dameff stated, by inches – when the hospital’s systems are down, it hinders urgent care, so patients suffering from heart attacks or strokes have their treatment delayed by crucial minutes or even hours. That can mean permanent disability or death.
“We can’t take care of stroke patients without functioning CT scanners. We just can’t,” he said.