That memorable episode in the second season of Homeland, in which Brody helps kill the vice president by giving a hacker his pacemaker’s serial number to disable it, seemed slightly implausible when it aired in 2012. But the chance of such a horrifying scenario taking place in real life is “realistic,” says a top health security researcher.
For this reason, Avi Rubin, computer science professor at Johns Hopkins University, is not surprised that the U.S. Food and Drug Administration has issued guidelines for how medical device manufacturers should better secure their products.
I caught up with Rubin after his recent talk at a Bay Area security conference, in which he urged the health sector to take steps to improve its security. After years of testing and research, Rubin doesn’t hesitate to describe stakeholders in health care, including hospitals, medical device makers, and doctors, as the “absolute worst” at protecting patients from hacks. This interview with Rubin has been edited for brevity.
What prompted you to start investigating security at hospitals and other health providers?
I fell into it by accident. I had founded a company to do security evaluations, and we ended up being approached by a medical institution to test their security. After that job, I started touring the local hospitals and studying their IT practices to learn exactly how things worked.
You say that data security practices in health care are worse than other industries. Can you provide any examples of that?
I found that one hospital’s radiology department had a nurse constantly typing in the doctors’ passwords into their terminals when they were not around so that they would stay logged in. I also found that people would VPN (access the health systems’ private network) into the hospital system using the same computer that their kids used to play video games. That is a huge security risk.
You say that doctors are “lousy” at security. Can you give an example or two?
My experience talking to doctors is that they do not want security interfering with their workflows. Security is often non-transparent and requires people to make changes. For example, dual factor authentication, as done traditionally, might slow down a doctor who is treating a critical patient.
Thanks to the television show Homeland, many people are now aware that medical devices can be hacked. Is this something that regulators and the public should be concerned about?
Definitely. There has been research that has shown that the Homeland scenario is quite realistic. I believe that device manufacturers are aware of this and are taking security very seriously.
When patients’ medical records are hacked, what do the hackers typically do with that data? How are patients harmed in the process? In February of last year, Anthem’s database of medical records was hacked, which left more than 78 million people vulnerable.
I believe that hackers sell the information found in medical records to promote identity theft. I also suspect that the information could be used for blackmail, but I don’t have any hard evidence of that.
Do hospitals typically have access to the talent and resources they need to keep data secure?
The big hospitals do. At Johns Hopkins there are hundreds of people working on this. Smaller practices do not have those resources, and the challenges are greater for them.