“The threats to healthcare are absolutely real,” says an Indiana University Health technology expert who cautions the recent cyberattack on the Colonial Pipeline Co., the largest fuel pipeline in the U.S., should serve as a warning for the medical industry. Cybersecurity experts believe it’s only a matter of time before a similar attack on a hospital, for example, causes tragic consequences. The reality of medical devices relying on the internet to function is that patients’ lives are dependent on their security. Motivated by patient safety and lessons learned during the pandemic, IU Health says it’s taking matters into its own hands by opening a lab to test medical devices their patients rely on.
The threat hit very close to home in 2018 when hackers launched a ransomware attack on Hancock Health in Greenfield. The attack targeted the most critical information systems of the hospital, and the president and chief executive officer later shared that “fortunately, patient life support systems were not directly affected.”
But they could be, says IU Health Director of Information Services Nick Sturgeon. And that’s why the state’s largest health system recently opened a laboratory at the 16 Tech Innovation District in Indianapolis to test the security of medical devices IU Health relies on everyday.
“Obviously, COVID played a huge part in realizing that relying on other folks may not best meet our needs. We want to test these devices ourselves and tell our patients we have the utmost confidence in these devices that we’re putting in patient settings,” says Sturgeon. “It’s a ‘trust but verify’ type of mentality that most security professionals have. We want to be able to trust what’s being told to us, but through the verification process of us actually testing these, we get that next level of confidence.”
Sturgeon admits that security professionals are struggling to keep pace with the accelerating adoption of internet-connected medical devices and virtual care models—the “internet of medical things” or IoMT. A report from research firm Fior Markets says the global medical device connectivity market is expected to explode from $1.6 billion in 2019 to $8.8 billion in 2027.
“Security professionals operate within an ethics code of conduct, and that really does limit our ability to keep pace with the bad guys; they have no rules, no morals or ethics—they’re not bound in the same way we are. For the sake of full transparency, that does give them a little bit of an advantage, and that’s really all it takes,” says Sturgeon. “And with some of these new technologies that come out, security isn’t necessarily the first thing that’s thought about—that also puts us at a bit more of a disadvantage. That’s why this research and testing is needed; we need to be very collaborative with what we find, so we can give ourselves as a security domain as many advantages as possible.”
The new lab is currently testing the security of about 15 devices, including anesthesia and electrocardiogram (EKG) machines, infusion pumps (used to deliver fluids into a patient’s body) and patient monitors. Sturgeon says the lab team is essentially trying to hack the devices “as a bad guy would hack it.”
“That’s the advantage we have as [IU Health’s Security Research] Red Team; we view things from the perspective of these ‘bad actors,’” says Sturgeon. “We can look at areas that maybe an operational IT person wouldn’t look at, because they may be just worried about keeping the lights on and making sure it’s functioning.”
The lab’s reach will extend far beyond IU Health. In accordance with standard disclosure practices, the team will alert manufacturers or hospitals of any vulnerabilities they find so they can be resolved. The lab is also tasked with sharing its findings with the security community via peer reviewed journals.
In addition to the lab’s proximity to the IU School of Medicine, Eskenazi Hospital, IUPUI and Regenstrief Institute, Sturgeon says 16 Tech has a unique innovative atmosphere. He believes the lab’s garage-style setting echoes the energy of companies like Google, Microsoft and IBM “to allow for creativity in thinking outside the box.”
“We’re absolutely certain collaboration and innovation will come out of this lab. We recognize cybersecurity as a patient safety issue, and we’re excited about the ability for us to protect patients who come to IU Health, as well as patients nationally or internationally,” says Sturgeon. “We think this lab is unique—a hospital system being innovative, looking at things differently and taking a step to do what’s right for our patients.”
Sturgeon says the lab will focus not only on system-wide devices, but the entire “internet of medical things.”
Sturgeon says the lab will benefit from Indiana’s deep expertise in cybersecurity.