Q&A: Protiviti’s Scott Erven talks medical devices and patient security

Scott Erven, associate director at the global consulting firm Protiviti, and Mark Collao, security consultant for security company Neohapsis, gave a presentation last month at DerbyCon 5.0 in Louisville, Ky., about the security of computer systems and medical devices in the United States.

Through their research, Erven and Collao explained that they discovered tens of thousands of vulnerable computers and devices within the U.S. healthcare industry. And they did it in a fairly simple, straightforward manner.

So what does this mean for radiologists and technologists? Is there anything that can be done to stop potential hackers?

Erven spoke with RadiologyBusiness.com about the situation, sharing his insight along with some tips for keeping computer systems and medical devices as secure as possible.   

RB: How did you test to see which computer systems and medical devices were vulnerable to a potential attack?

SE: The first phase was using Shodan, which is kind of like a search engine for all of the devices that are connected to the public Internet. So it goes out and scans the entire Internet every day and reports back what it finds attached directly. So we did searches for various type of medical devices as well as organizations, hospitals, and providers that had misconfigurations in their security controls that allowed exposure of those devices through the public Internet.

Once we did that, we had a determination that, “OK, there are devices directly connected to the Internet as well as accessible due to security misconfigurations in multiple organizations.” So we wanted to further understand with the honeypot research, are these devices being attacked? What are the motivations? Is it a targeted attack or random noise?

So we set up the honeypot to determine that and get some data. What we found is, these devices were in a hostile environment due to being directly connected to the Internet and they were exploited and compromised fairly quickly once we put them on the Internet, but we couldn’t see any attacks due to their being medical devices.

We did see malware dropped on these devices -- but we didn’t see adversaries that dropped that malware specifically because it was a medical device. It was random malware associated with potential credit card theft, that sort of thing.

RB: So these are often random attacks, but it is nothing intentionally targeting medical devices?

SE: From an adversary perspective, most of what you see aren’t targeted attacks. They’re after some sort of financial reward, and often times that’s credit card data. It could be medical data, but what we saw in the six months we ran our research, there were indicators of broader attacks that weren’t specific to medical devices at all. 

RB: If computer systems or medical devices are hacked, what can the attacking party potentially do?

SE: There are different incentives for different adversary classes. Those looking for financial gain, they would most likely be looking for radiology imaging systems that contain protected health information data they could either sell on the black market or use for fraud.

When you get to radiology devices, so many of them actually have a hard control at the radiology technologist workstation, so even if you were to compromise the device, you still have that physical control you need to execute that command set.

Many radiology devices have that and do have good protection from a patient safety perspective. However, sometimes, if you only have software controls, that’s where an attacker could use that software for unintended consequences. Things you could do as a radiology technologist, for example, with dosing or something like that, that’s what an attacker could do once they had administrative access to that device. Once an attacker gets administrative access, they have the same control as the technologist at that workstation.

Now, we don’t have any evidence that that has happened, but we also have a lack of evidence-capturing capabilities with these devices.

RB: In your presentation during DerbyCon, you told the story about patients at a hospital who hacked into their own infusion pump to increase their dosage. Is something like that rare, or is it becoming more common?

SE: It’s definitely a rare instance where patients themselves have actually done that. But it’s important to understand that an individual patient was simply able to get on the internet, search for documentation, get onto a device, and change the dosing levels of that infusion pump.

We have to mature security. Right now, I don’t think we’re doing a good enough job for patients.

RB: What can radiologists and technologists do to prevent their computer systems and medical devices from being hacked?

SE: One thing is obviously general awareness, but they also need to partner with not only their clinical engineering team, but also their information security team. A partnership that’s effective is actually one that’s working during vendor and product selection and partnering physician staff with clinical engineering, information security, and purchasing and contracting to make sure these devices are tested up front.

That partnership enables physicians to make a more well-informed decision of risk upfront rather than what we currently see in most organizations, which is providers solely making a decision based on clinical effectiveness. They’re not supplanting a physician’s judgement, they’re just giving them additional information about risks. Physicians are still making that clinical decision, but they at least are informed about that decision and the risks from a cyber-security standpoint.

RB: Is there anything else you think radiologists and others in the industry need to know about this subject?

SE: It’s very important to understand with these devices that the benefits of the devices clearly outweigh the security risk. But it’s also important for clinical staff to understand that all software has flaws, and as connectivity increases, so do potential interactions of these devices being put into a hostile environment.

A software-driven, connected medical device is essentially a vulnerable and exposed device. So we have to work to balance that inherent risk with the benefits derived from those devices. 

Michael Walter
Michael Walter, Managing Editor

Michael has more than 18 years of experience as a professional writer and editor. He has written at length about cardiology, radiology, artificial intelligence and other key healthcare topics.

Around the web

The patient, who was being cared for in the ICU, was not accompanied or monitored by nursing staff during his exam, despite being sedated.

The nuclear imaging isotope shortage of molybdenum-99 may be over now that the sidelined reactor is restarting. ASNC's president says PET and new SPECT technologies helped cardiac imaging labs better weather the storm.

CMS has more than doubled the CCTA payment rate from $175 to $357.13. The move, expected to have a significant impact on the utilization of cardiac CT, received immediate praise from imaging specialists.