iStock/Thinkstock(NEW YORK) — Cybersecurity experts are rushing to analyze the new ransomware known by some as “Petya” that quickly spread to countries around the world Tuesday, including the United States, with hackers holding computers hostage for ransom payouts.
Among the U.S. computers affected in the Petya attack were hospital computers, and experts are warning that not only is the ransomware problem getting worse, but hospital computers and medical devices are potentially vulnerable to hacking.
Last month, a worldwide cyberattack by a ransomware called WannaCry shut down 65 hospitals in the United Kingdom, and affected not just computers but storage refrigerators and MRI machines. Last January, Hollywood Presbyterian Hospital in Los Angeles paid out $17,000 after hackers took control of its computers.
“In between the bookends of Hollywood Presbyterian Hospital and the 65 hospitals shut down in the U.K., we went from being prone and prey with no predators to now a little blood in the water,” cybersecurity expert Josh Corman said. “Hospitals and health care went to the No. 1 targeted industry last year, in less than one year.”
“So our relative obscurity is over,” he said.
The popular TV show “Homeland” included a scene where the president’s pacemaker was hacked, and researchers say that threat is very real. Former Vice President Dick Cheney revealed to reporters in 2013 that he had the wireless capability on his pacemaker turned off.
To combat this problem, doctors, security experts and government employees recently converged at the University of Arizona Medical School in Phoenix to witness the first-ever simulated hack of a hospital.
The event was organized by Dr. Jeff Tully, a pediatrician, and Dr. Christian Dameff, an emergency medicine physician, both of whom are graduates from the University of Arizona Medical School and self-proclaimed hackers.
“When you say a hacker, everybody immediately thinks of darkly lit rooms, hooded characters that are nefariously typing and hacking the Pentagon,” Dameff said.
But he said there are some hackers they call “white hat hackers,” who Dameff said use their skills for good.
“When they find vulnerabilities in systems, they fix them. They talk to device manufacturers. They talk to software companies and fix them, because they know that there are bad hackers out there. And if people don’t do that, then it’s free range for the bad hackers,” he said.
Tully said “anything that is plugged in,” whether it has a Wi-Fi connection or not, can be vulnerable to hacking. And lots of medical devices, such as pacemakers and ventilators, are connected to the internet for the benefit of the patients.
“Pacemakers can connect with a device at home that monitors the rhythms of the heart and are able to send that information to doctors,” Tully said. “These things are good for patients, and we don’t want people turning away from the promise that these type of technology have.”
For their demonstration, Tully and Dameff staged a massive cyberhack at the medical school’s simulation center using three critical mock patients, without the doctors involved in the simulation knowing what was about to happen.
One mock patient had a simulated calcium channel overdose from a hacked bedside infusion pump. Another patient’s pacemaker was made to malfunction. The third situation involved an insulin pump delivering an unauthorized dose — all by security researchers and doctors simulating these devices being manipulated.
Despite the hacks, the doctors involved in the simulation were able to save all the mock patients.
Dr. Marie Moe, a security researcher from Norway, observed the demonstration. She and her team researchers have figured how to hack a pacemaker. That pacemaker scene in “Homeland,” Moe said, is “not that far-fetched.”
Moe said she buys pacemakers on eBay so she and her team can practice hacking them. Moe herself has a pacemaker, so this kind of threat is very real to her.
“The reason I do this is to prove that the security is not implemented well enough,” she said.
Billy Rios, a hacker in San Francisco, takes apart and hacks different medical devices, such as pacemakers and insulin pumps, using an internet connection and programs he developed. He demonstrated how a bedside infusion pump, which has a Wi-Fi connection, could be hacked.
“These pumps have a firewall that’s there, but it’s really easy to turn off,” Rios said. “Once the firewall is turned off, we are going to connect to the pump and send it commands. … If this were connected to a patient, it would dump all of the drugs into a patient.”
Once a hacker is connected to the pump’s network, Rios said, it can be controlled remotely.
“You could be 1,000 miles away as long as you’re connected to a network. You could be at a Starbucks, or at a hotel, or you could be in another country,” he said. “It’s almost as if the pump has a life of its own.”
Cybersecurity expert Josh Corman, who recently served on a congressional task force for the U.S. Health and Human Services Department to investigate health care systems, said these systems are easy to hack because the computers are often running on “very old, unsupported systems.”
Another issue Corman said is that hospitals tend not to invest in qualified cybersecurity personnel. He and his team conducted a yearlong investigation and said they found that “about 85 percent or more of the hospitals don’t have a single qualified security person on staff.”
“When a medical device is expected to live in the field for 30 years, the underlying software components are only expected to live two years to 10 years, so there’s a big mismatch there we have to rectify and reconcile,” said security expert Beau Woods, who worked with Corman’s team.
AdvaMed (Advanced Medical Technology Association), an American medical device trade association told Nightline in a statement in part: “The medical technology industry’s chief priority is patient safety, and medical device manufacturers take seriously the need to continuously assess the security of their devices in a world where the risks, no matter how remote, evolve.”
The FDA, which regulates medical devices, told Nightline in a statement in part: “Cybersecurity risks are constantly evolving, and the FDA has been working diligently to address medical device cybersecurity in all phases of a product’s lifecycle.”
There are currently no known cases of illicit hackers manipulating someone’s pacemaker or any other medical device in a real-world setting, but Tully and Dameff want to continue to work with doctors to make them aware of these risks.
“We came to med school to become doctors, but before that we were hackers,” Tully said. “I think our parents are just happy we’re not in jail.”
Copyright © 2017, ABC Radio. All rights reserved.
