MINNEAPOLIS -- The humble infusion pump: It stands sentinel in a hospital room, injecting patients with measured doses of drugs and writing information in their electronic medical records.
But what if hackers and identity thieves could hijack a pump on a hospital's information network and then use it to eavesdrop on sensitive details such as patient identity and billing data for the entire hospital?
Although it hasn't happened yet, the hacking of wireless infusion pumps is considered a critical cybersecurity vulnerability in hospitals -- so much so that federal authorities are focusing on the pumps as part of a wide-ranging effort to develop guidelines to prevent cyberattacks against medical devices.
Pumps with Wi-Fi were selected to kick off the new effort because their individual vulnerabilities are magnified by their sheer numbers inside hospitals and clinics.
Allina Health is one of several Twin Cities health care players that has been working with the National Institute of Standards and Technology to develop a type of technical analysis known as a "use case" for wireless pumps. The companies' goal is to speed along the development of new standards to harden medical devices against cyberattacks and computer viruses.
"Infusion pumps are ubiquitous. At Allina, we have over 3,000 infusion pumps across the system," said Linda Zdon, director of information security and compliance at the 12-hospital Twin Cities health system. "Almost every hospital patient at some point has an infusion pump. So it certainly strikes at an area that has a broad application for most patients, and therefore, has a significant impact on health systems."
Device-makers say they're already hard at work improving security, but hospitals complain that the companies have been moving too slowly on a vulnerability that puts hospitals' information systems at risk.
In a Nov. 21 letter to the Food and Drug Administration, the American Hospital Association urged the federal government to "hold device manufacturers accountable for cybersecurity." The Homeland Security Department, meanwhile, is reportedly investigating suspected cybersecurity flaws in one model of infusion pump.
Patients tend to fear a malicious person would try to steal data or even scramble the dosing instructions for an individual pump. While those risks are real, security experts say they're far less likely than a hack to gain access to a hospital's wider network traffic. For one thing, attacking an individual through their pump would draw attention and close off what could be a potentially lucrative entry point to many patients' data.
Minnesota companies like Allina, Fairview Health Services and HealthPartners are playing a central role in the development of the new federal guidelines through early collaboration with researchers.
The National Institute of Standards and Technology project was unveiled in December in a presentation before the University of Minnesota's Technological Leadership Institute. The standards institute hopes to publish this first set of recommendations as soon as next fall and then move on to security vulnerabilities in implantable medical devices and large equipment like magnetic-resonance imaging scanners.
Cyber-vulnerabilities are a top-of-mind concern in health care these days. In July, the 200-hospital Community Health Systems revealed in securities filings that a group from China hacked its files and stole information including names, addresses, birth dates and Social Security numbers for about 4.5 million patients. Company officials haven't said how the hackers got into the system.
Recent headlines have been dominated by the international intrigue surrounding the massive hack at Sony Pictures Entertainment, but several people at the standards institute meeting in Minneapolis compared hospitals' infusion pump vulnerability with what happened at Target Corp. Last year, hackers accessed personal data on more than 70 million customers after breaching the retailer's computer system through a digital side door created for a heating, ventilating and air-conditioning contractor.
"The infusion pump is to the hospital what the HVAC system was to Target. That is, it becomes the vector to get in," said Ken Hoyme, a computer-security scientist at Minneapolis' Adventium Labs.
The risk, as described in a Dec. 18 draft of the institute's infusion-pump study, is that a hacker could write malware to compromise a pump and then use the pump's network access to plant malicious computer code in the hospital's central systems. Hoyme said specialized code could be written that would cause the network to send sensitive information outside the hospital to an anonymous network of other infected computers, where it could be sold to identity thieves or used to generate negative publicity about the target.
The FDA -- working independently from the institute study -- has been concerned with infusion pumps since it launched a 2010 review of software defects and related issues in response to 56,000 reports of adverse events.
Separately, the FDA last fall convened its first cybersecurity conference for medical devices, including infusion-pump makers. That work is ongoing. Following the FDA meeting, Reuters reported that Homeland Security officials have opened investigations into suspected cybersecurity flaws in medical devices, including an infusion pump sold by Chicago-based supplier Hospira.
Hospira, which is listed as the lone device-maker company working with the standards institute on the infusion pump guidelines, declined to comment for this story. CareFusion, a major infusion-pump device-maker based in San Diego, listed several specific steps it takes to secure its devices, including working with third-party experts to test and validate product security and using strong data encryption.
Although it's a common fear that talking openly about cybersecurity vulnerabilities will give hackers ideas, experts note that attackers would still need an extraordinary amount of skill and access to a device to pull off an attack.
Gavin O'Brien, one of the lead authors of the standards institute report, said public discussion will cause consumers of health-information technology to become better informed and start demanding more security features.
"Educating enterprises on how to improve their security will benefit the industry," O'Brien said in an email. "To ignore these issues or just talk about them in small circles may not be enough to push the market into building the security into the products."
SundayMonday Business on 01/12/2015