Directed by Oscar-nominated filmmakers Kirby Dick and Amy Ziering, the new Netflix documentary, The Bleeding Edge, profiles five people who suffered horrendously when the medical devices on which they relied failed.Somewhat sensationalist in its tone and point of view, the film is also well-researched and the stories it tells are downright heart-breaking.
Though subject to regulatory oversight, the broad product range and complex contexts umbrella-ed under "medical devices" opens the door to problems in the industry's pre- and post-market environments. It's on those problematic aspects of the medical device industry that The Bleeding Edge endeavors to shine a light.
While manufacturers claim that device failures are rare, the film focuses on examples of evidence to the contrary. Essure, the internal contraceptive device that’s featured heavily in the film, was the subject of over 12,000 complaints to the FDA in 2017.
The Bloody Takeaway
If there's a positive element to the story told in the documentary — and admittedly you have to look hard to find it — it's that patient advocacy groups are forcing change.
With the help of Congress, concerned citizens directly petitioned the FDA commissioner to revise Essure’s regulatory status — presenting data they had collected over the past years. Two months later, the FDA required doctors to inform patients about the risks of Essure before using it.
While the public might draw comfort from such people-powered changes, the reality of substantial and sustained risk exposure owing to medical devices is decidedly less comforting. One area the documentary doesn’t touch on, but that contributes handsomely to overall device risk, is the threat of cyber attack.
Connected Medical Devices
When it comes to the hidden dangers posed by medical devices, the cybersphere simply cannot be ignored. While we may naturally feel safe in medical care centers and in the company of medical professionals, the fact of the matter is that, more often than not — courtesy of cyber-insecure medical devices and networks — we are opening ourselves up to great risk.
Although the FDA has issued guidance for the security of medical devices — placing the responsibility jointly on manufacturers and healthcare providers — there remain obstacles aplenty to ensuring the protection of devices used in our hospitals.
Much of the problem traces back to the proliferation of internet connected medical devices and the rise of a black-market cyber economy trading in stolen information and leveraging the threat of chaos as a strategic weapon. To make matters worse, the erstwhile good guys and would-be victims are woefully unprepared for the task of securing their digital domains.
The business community in general and healthcare community in particular is inadequately educated in matters of cybersecurity and lacks the basic best practice wherewithal needed to effectively contain and combat the threat.
BI Intelligence estimates that there are around 330 million connected medical devices in use, ranging from diagnostic equipment, such as MRI and CT scanners, through therapeutic equipment, like patient monitors, to life support equipment such as infusion pumps and defibrillators.
The stellar increase in the use of these devices has been fueled by the benefits they offer:
- Patients get personalized care quicker and with less doctor visits
- Healthcare professionals get access to a much wider range of real-time data that can help with diagnosis and treatment plans
- Healthcare providers reduce human error and save money by reducing the amount of human intervention needed
In other words, while simply “putting the cat back in the bag” makes for a tempting theoretical solution to the problem of healthcare’s digital vulnerability, it’s simply not practical, or even attractive — all things considered.
Why Connected Medical Devices are at Risk of Cyberattack
Entire healthcare system are vulnerable to cyberattack because of a historic lack of investment in cybersecurity, vulnerabilities in existing technology, insecure networks, and problematic staff behavior.
The Legacy Problem
WannaCry ransomware, which specifically targeted healthcare, exploited a vulnerability in a 30-year-old software protocol. As much as we (the public and medical professionals alike) might want to think of the WannaCry attack as a one-off, seizing on a singularly overlooked system vulnerability, it’s simply not true. Most medical centers, the devices they rely on to administer care, and the digital infrastructure on which it all rests are simply sodden with such vulnerabilities.
Practically every operating system has known vulnerabilities associated with it and it’s rare for a hospital to have implemented all relevant patches for all devices in deployment.
In a similar vein, some expensive equipment, MRI machines for example, have a lifetime spanning decades — meaning support, including security updates and patches, becomes more difficult as the underlying technology gets older.
Vulnerabilities Seem to be Everywhere
The Department of Homeland Security recently issued more warnings about vulnerabilities in medical devices, and in August of last year, the FDA recalled nearly half a million pacemakers after finding the devices could be hacked to control pacing or deplete the batteries with fatal consequences.
Devices are networked to allow for information sharing and central administration, but that makes them an easy target: breach the network in one place and you get access to a whole lot more.
Healthcare providers can reduce the risk by dividing up the whole network and restricting access to authorized users and devices. But these groupings are applied manually or by fixed rules and don’t cater easily to the complexity of normal daily operations, let alone the inevitable changes in the organization.
Staff (and visitors) who access the internet using hospital computers or connect their personal devices to the hospital network are vulnerable to phishing, pharming, or man-in-the-middle attacks that can compromise connected medical devices and their shared digital infrastructure. This can easily lead to malware infections, ransomware gambits, and the like.
Similarly, running medical devices using default or simple, repeat-use, passwords opens the whole enterprise to potentially devastating infiltration scenarios.
Why Cybercriminals Love the Medical Device Industry
Cyberattacks in the first quarter of this year showed an increase of 125 percent over the same period last year and offer rich pickings for cybercriminals. Confronting this information, most people respond in the same way — asking why.
Here are 4 basic reasons:
- Sensitive health information is stolen and sold for great profit
- Critical infrastructure such as medical devices are fertile grounds for ransomware attacks
- Medical implants can be selectively interfered with, putting the patient at risk (as disturbing as it is, this type of functionality would ostensibly appeal to certain political and business interests)
- Criminal gangs or rogue states can undermine a country's healthcare system
The medical device industry offers hackers and other digital delinquents a kid-in-the-candystore experience, and it hasn't taken long for the bad guys to catch wind of this. Orangeworm, for example, has spearheaded the first widespread attack known to have deliberately targeted medical devices and shows how criminals are becoming more sophisticated in their planning so as to maximize the impact of the attack.
Regulations and Best Practice Guidelines
Researchers have found that in 38% of cases where a medical device has been breached, the wrong treatment was then given to the patient. It’s easy to see how fatalities could follow and why healthcare providers are so worried.
The regulatory bodies are trying to take action, but in circumstances that echo the problems highlighted in the documentary, it is very challenging to stay one step ahead of the hackers.
There’s no single HIPAA-type regulation designed to save a human life or patient data, from a medical device cyberattack, and different countries are taking different approaches.
In the UK, a government policy paper, written with the National Cyber Security Centre, includes guidelines on how manufacturers, industry, and government should work together to improve the resilience of connected devices.
The European Union has adopted a new medical device regulation which, for the first time, specifically requires manufacturers to develop devices using cybersecurity protection.
And in the US, the FDA's Medical Device Safety Action Plan, released April 2018, aims to improve patient safety, explore regulatory solutions and advance medical device cybersecurity nationwide. Legislation is also moving through the House of Representatives that, if adopted, would formalize recommendations made by the Health Care Industry Cybersecurity Task Force last year.
A Cautionary Tale
The point is made in the Netflix documentary that it’s not uncommon for doctors to recommend specific procedures or medical devices that they are not actually very familiar with. The argument is put forward that this is a big part of the underlying problem with medical devices.
The idea that a doctor only advocate for tools and treatments with which he/she has first-hand experience doesn’t exactly leave room for medical science to expand and improve. At the same time, there is a fundamental expectation that a medical professional personally conduct due diligence on a given practice or procedure before putting his/her patients’ welfare on the line.
The same principle ought to be applied at the administrative level when it comes to the operational technologies on which healthcare facilities rely. Any modern hospital today runs on digital architecture and infrastructure, yet very few of the people with a hand in managing those hospitals actually understand or know much about the digital backbone on which it’s built. That's kind of a recipe for disaster.
There needs to be an expectation incumbent upon the relevant administrators to personally examine and scrutinize the technology used for potential hazards, malfunctions, and operational implications.
Headlines such as Vulnerable Medical Imaging Devices Open the Door to Death might be dramatic but they make a serious point, and healthcare providers need to act now rather than wait for regulations to catch up.
Given the role of medical devices in modern patient care, it’s reasonable to suggest that decision makers — whether doctors, administrators, or what have you — be more vigilant in protecting their facilities and their patients.
Reducing the Risks
Healthcare providers have an important role to play by ensuring basic cybersecurity protection is in place and followed by everyone. Many are now using established cybersecurity frameworks, such as NIST or HITRUST, to bring structure and to their arrangements and make sure nothing obvious is missed. They can also take advantage of shared information and early warning services, such as CareCERT in the UK, which reportedly blocks over 90 million harmful activities every month.
But a more robust approach also demands active and ongoing technology solutions dedicated to finding, screening, and securing medical devices.
With some healthcare providers having thousands of medical devices in use, it’s not possible to get the same results from basic security tools or generic IoT security solutions. Intelligent, purpose-built software can find all medical devices on a network, use artificial intelligence techniques to determine the likelihood of a successful attack on each device, and recommend mitigating actions.
Governments are also starting to step up and respond to concerns about cyberthreats, but there remains much to be done. That being said, perhaps, similar to the implied upshot of The Bleeding Edge, it would be best if we didn't lay our hopes for safer, more secure medical devices squarely at the feet of governments.
Perhaps the best course of action is one that also calls on people — individually and collectively — to be more proactive in combating the threat.
The shortest distance between two points is a straight line. Here I'd argue that that straight line consists of:
- More awareness
- Better education
- Better communication
- Better procedures
- Better solutions