Medical Device Cyber Failures Become Fatal | Ep. 52

This episode of The Med Device Cyber Podcast delves into the critical and increasingly urgent issue of medical device cyber failures, exploring instances where vulnerabilities have led to direct patient harm, including fatalities. Hosts Trevor Slatterie and Christian Espinosa discuss pivotal historical events such as the 2017 WannaCry ransomware attack, which served as a catalyst for modern cybersecurity requirements in healthcare. The discussion highlights the severe downstream effects of ransomware on healthcare delivery organizations, ranging from operational shutdowns to an inability to provide critical patient care, citing evidence that directly links cyberattacks to patient deaths, notably in the NHS blood centers incident in the UK. Beyond ransomware, the episode unpacks targeted attacks, referencing the theorized and later proven vulnerabilities in implantable devices like pacemakers and defibrillators, drawing parallels to incidents involving Dick Cheney and Medtronic devices. The hosts also touch upon the dangers of software errors, such as the Therac-25 recall, and the emerging challenges of AI in therapy, where a lack of guardrails can lead to catastrophic safety concerns. The conversation underscores the FDA's heightened scrutiny and the industry's shift towards proactive cybersecurity measures, emphasizing that while compliance can be challenging, it is essential for ensuring patient safety and device quality.

Hello and welcome back to another episode of the Med Device Cyber Podcast. We're your co-hosts, Trevor Slatterie and Christian Espinosa. Today, we're going to talk about some situations and incidents that have come up where medical device hacks, vulnerabilities, and problems have led to direct tangible harm, or in many cases, even death, against individuals. It's definitely a very serious topic. There's a lot that can go wrong within the medical space. We want to make sure that we're learning lessons, of course, from all of these areas and understanding what we can do in collaboration with the regulators to ensure that this isn't happening anymore. First, I'll check in with you. How are you doing, Christian, today? I know you've been on a pretty crazy travel schedule. So, just settling down and back home in Phoenix for what, one day, two days? I just got back from Singapore on Sunday. I was there for eight days. So, I felt like I finally got acclimated to their schedule and now I'm here. I was going to be here for one day, but I changed the flight. So, I'm here for three days. So, not enough time to get acclimated here and then I'm heading to Europe tomorrow, actually. Perfect. Well, yeah, at least get a little bit of respite moving it to three days as opposed to one day. Well, I need a little bit of time to catch up on a few things and, you know, I actually enjoy my condo. So, I feel like I'm paying for this condo, but I'm never here. Well, talking about some of the issues that we've seen come up with medical devices, there's definitely deep history on vulnerabilities and incidents where there's been tangible patient harm. Actually, one of the events that really drove home some of the modern cybersecurity requirements that we see today was a ransomware attack in 2017, the WannaCry ransomware attack. A lot of medical devices were affected, hospital operations screeched to a halt, and that started to underline the importance of cybersecurity within these products. So, there are new breaches, new problems, and new events. I know everyone sees ransomware on the news; it feels like every other day something is getting ransomed. But the regulators are trying to make an effort to stop some of this from happening. So, we can start a little bit about talking about what WannaCry was for anyone unfamiliar and then go into some more of the incidents that we've seen. For background, ransomware is something everyone would be familiar with. It's a non-targeted virus that gets into a computer and spreads into everything. It goes to any connected computers, encrypts all the information so that nothing is accessible. The attackers steal a copy of it; they threaten to release it into the public if someone does not pay a ransom. When they're stealing this information from a hospital, this is going to contain extremely sensitive records. This is going to have a lot of patient information, often payment information as well. So, it's very, very valuable to attackers. That's why hospitals are so commonly ransomed. WannaCry was an especially dangerous version that happened in 2017 and, like I said, that really acted as the catalyst for some of these regulators to start raising the bar with cybersecurity. You have to think about it, if you're a hospital, and I remember I saw an episode of Chicago Med, but they actually had a ransomware attack in there and the hospital didn't know what to do, and patients were basically dying because they couldn't intake a patient when an ambulance would show up. All the systems were down, so one of the doctors actually paid the ransom out of his own pocket because the hospital didn't have a policy for it. I think that episode, I think it's called Chicago Med, was pretty much based on reality from my experience. Yeah, when that happens, when ransomware hits a healthcare delivery organization, there's not that much that can be done anymore. We are in an extremely online world. The overwhelming majority of medical products are now internet connected. Anything relating to payment, record storage, or even note-taking is often going to be entirely online or digitally stored. Obviously, there are tons of advantages for that. I mean, we look at the fact that we're in a podcast recording right now with me being in California and you being in Arizona. Awesome advantages to this technology, but when it goes down, everything goes down. Even recently, there was this ransomware attack against United Healthcare. I believe it was United, there was an insurance provider that had a ransomware incident and people were not able to get reimbursed and people were not able to pay for their services even at unaffected hospitals. So, the downstream effect of ransomware can be extremely severe, and yeah, not too unrealistic there. Often times, you can't intake new patients, everything switches back to a manual system. Often times, even the climate control would be on an automated digital system, and if that's struck by ransomware, it can be fully taken offline. So, it's a very severe downstream effect. So, one of the questions I hear, or debates, is no patients have ever died because of a cyberattack. What is your perspective on that? So, this argument can be difficult to directly attribute harm to a cybersecurity attack. This has since changed. Earlier this year, towards the end of last year, they were starting to do some deep dives into a ransomware attack against NHS blood centers in the UK. They were able to prove if that attack had not happened, patients that had died would have been able to receive treatment that would have saved their lives. Instead, they were unable to receive transfusions. They were unable to receive treatment in time, and they ended up unfortunately dying because they could not receive this due to the ransomware blocks. So, that argument has become fairly recently, definitively unproven, though there is always speculation on what is the actual downstream effect of ransomware. You can say, well, with that breach mentioned earlier around insurance providers, if insurance providers are shut down, some people might not be able to pay for treatments that they would have otherwise needed. Could you attribute that ransomware attack to any negative effects that come up to that individual? How far does that connection go? So, while it can be hard to have a direct attribution without cases such as this NHS incident, the downstream effects can cause significant harm, significant distress, and in cases, even death to individuals where there is a ransomware attack against healthcare delivery organizations. And this is why the FDA and other regulatory bodies are putting more scrutiny on medical devices. Exactly. So, when we're looking at why someone is attacking a medical device, we always talk about ransomware. It is the most efficient method to attack hospitals. They're big. There are a lot of devices. It often just takes one thing that was unprotected for a ransomware operator to get in. So, it's usually a very high return on investment for the criminals as opposed to trying to attack, say, a law firm where the information is a lot less sensitive. It may be a smaller attack surface for them to cover. Hospitals are usually just considered the holy grail for ransomware operators, and it's why they're one of the, if not the most, attacked industry there. What's also the risk, right? Because a law firm, so they can't conduct law for a couple days, like what does it matter? A hospital, though, if it's ransomware, the risk is super high to the patients, and there may be patient lives at stake, so the hospital is forced to do something about it much quicker than like a law firm. Like the scenario you gave. Exactly. Yeah. Law firms can often wait and try to negotiate down to a better deal. They can get a ransomware negotiator involved with the process, and hospitals often times are going to be forced to make a decision within a matter of hours. Now, very often, it will be a requirement to have insurance in case of ransomware attacks specifically for this reason so that it doesn't go into this in-depth negotiation. You know, the insurance provider, of course, tries to negotiate, but if it comes to a head, generally the way out of it is to pay the ransom and leave. It's a very, it's an awful escape, considering the only reason ransomware operators continue to try these attacks is because the ransoms get paid. But when we're dealing with patient life, patient safety, it's such a difficult decision. Do we try to hold our ground and see if they'll back off, or do we get back to normal operation and potentially save lives that may have been lost? Generally, of course, prioritizing the patients' lives, prioritizing the safety of those individuals has to be the priority. So, unfortunately, paying the ransomware operators does propagate that industry, but it protects the lives of the individuals that would have otherwise been affected. What are some other cybersecurity attacks on medical devices that are different than, outside the scope of ransomware, that have occurred historically or recently? So, one example that this attack did not explicitly occur, but it was theorized to occur and then proven to be possible, was Dick Cheney. He had, I believe it was a pacemaker or maybe a defibrillator. A defibrillator. A pacemaker just keeps the pace of your heart, but a defibrillator can actually shock you. Okay. So, he had this device, an implantable device within his heart that was, you know, keeping him going, keeping him alive. The device had remote connectivity capabilities. This was, once we were starting to make that shift to companion apps for medical devices where we had a little bit more of a network connectivity going on. But Dick Cheney theorized that someone could try to assassinate him through the pacemaker. What if someone could remotely connect to it and shut it off or change the pacing of it and cause him to have a heart attack? Whatever that problem might be, someone could influence the operation of it. Now, he ended up having it removed and replaced with a version where he did not feel this was a present risk. After the fact, down the line, security researchers did uncover a lot of common vulnerabilities in pacemakers such as the one that he had. Very famously, pacemakers put out by Medtronic were exposed to a cybersecurity vulnerability where someone could, with no authentication, no permission, connect into it and change the way that they worked with a simple tool that sends out a Bluetooth connection, or I believe it was a radio frequency connection. Bluetooth doesn't always work super well for implantable devices; the signal has a hard time leaving tissue, but for radio frequency, it often works a lot better. This was another kickstarter to say,