We had the opportunity to talk with the author of the report about why medical device safety is important and how the issue should be handled in the future.
Cyber Security Connection: Thanks for joining us, Deral. I have read the report and it is quite fascinating, if a little worrying. Can you give me a brief summary of what you were doing and what you found during your research?
Deral Heiland: The focus of the report was a systemic problem I discovered while conducting a broader safety research project on infusion pumps last year.
During that process, I acquired several devices online, and as I was finishing up that project, I started noticing that these devices still seemed to have data on them, like Wi-Fi credentials and things like that, which was a bit of a concern. So I expanded and bought several devices. I think I ended up purchasing 15 or 16 devices over a three or four month period and I started taking them apart and looking at the data and I realized that a lot of these hospitals and medical organizations don’t seem to be following the cradle to grave process. with its technology.
This means that when it reaches the end of its useful life, they just send it out the door without taking into account the data it could actually store and basically the paper breaks it down; Then we move on to the technical part. where it is like this, this is how you would do it. That’s how the data gets there. I think it’s important to have those proofs of concepts there.
And then at the end, we talked about it as a systemic issue. How do we solve that? How do we think about political processes, so that organizations can better manage these integrated technologies that they deal with on a daily basis?
CSC: What kind of data did you find on these older infusion pumps?
Deral Heiland: In this particular case, with these infusion pumps, the good thing is that there was no health record data. So that was a good thing.
In one case where we found out there was actual live infusion pump data on this stuff, but it was tied to a serial number, not an individual, so just the back-end database record I would know who that data belonged to. That was positive, but in the case of these bombs, we found pre-shared Wi-Fi keys. So what does that mean?
If you’re familiar with most organizations, when a piece of equipment expires, you don’t necessarily go back and change the Wi-Fi passwords on each machine. You are not aged. Generally, the new technology that arrives remains the same. That is my experience of more than 30 years. Unless you change the entire underlying infrastructure of each device, and you usually don’t.
So what does that mean from a risk perspective?
What it means is that companies are selling (or hospital organizations are selling) their equipment or shipping it overseas. In fact, someone could obtain that data that would give them access to the biomedical health network, the network where critical care takes place, which to me is very concerning.
CSC: Now this report focuses on the United States, but do you think this is more widespread than that? Could this be a problem in Australia, for example, and how does our healthcare system address these devices?
Deral Heiland: Yes, I’m 100 percent sure that very few organizations are going through proper decommissioning procedures – they’re not wiping data off their devices before they walk out the door.
And I would expect that, whether you’re looking at these infusion pumps, or you’re looking at other infusion pumps, or you’re looking at other medical devices, integrated medical devices that are actually aging and going off the market, I would expect on a large scale… Many of that data goes out the door.
If we go back a few years, the whole thing was in the news: hard drives. Companies were selling their devices and adding hard drives to… Well, flash memory chips, these are the new hard drive today. And these devices are not something you can easily take out and destroy like a hard drive is. They are located on small integrated chips that contain massive amounts of data. And all this data is stored in these things.
Unless you follow the proper processes within the device itself to delete the data, it’s not going anywhere. It’s going to be there.
CSC: So what is the process to delete this data? Is it too difficult, is it doable and just not being done?
Deral Heiland: I think with most organizations, of the three that I looked at, two of them, I have confirmed 100 percent that there are written processes in their documentation. With Alaris [a device manufacturer]I worked with their security teams and they said, “Yes, it’s in the documentation.” It’s in there.
with the baxter [another device]We actually helped improve some of the processes from the research we did last year, to make it even better, because it turned out that the data… they had a procedure to purge it from the infusion pump, but the battery unit is a Lo of Wi-Fi, and it was actually still on. So we fixed all their processes and procedures from that. So they are doing it.
Typically, we see that most producers, the companies that produce these products, are starting to make sure that there are processes in place to remove this data. Because this is not the first story like this. There have been other stories covering everything from police body cameras to all sorts of things. So we’re starting to see more vendors thinking about their devices from a technology standpoint and how they can appropriately take them to the end of their life and delete that data.
CSC: So, as always, it’s the people in the system, not the system itself, that are allowing this data to escape?
Deral Heiland: Exactly.
CSC: Before we continue, my usual question for people in this field: As a security specialist, what keeps you up at night?
Deral Heiland: Vulnerabilities don’t keep me up at night, because you know that every piece of equipment, every piece of technology has vulnerabilities. It all comes down to: is the supplier proactive?
What keeps me awake is… I think this is a great example in this article. I think there are a lot of things that organizations aren’t doing, or that organizations aren’t aware of, and I’ve been preaching these last few years when it comes to embedded technology. We don’t have hard drives anymore: we have flash memory chips, and these flash memory chips are between eight and 16 gigabytes in size, which is a lot of data. And organizations don’t know what data is stored in them.
Many times, they may not be able to confirm 100 percent whether the data is actually being deleted. When you go through the purging process, are you really eliminating it? So it’s those unknowns that worry me, and the fact that organizations simply aren’t aware of this type of technology and what it means… We’ve spent our entire lives dealing with hard drives and we’re finally comfortable with the fact. We’re not just going to give away our hard drives.
And now we’re doing the same thing again with more micro-sized flash memory technology.
CSC: Thank you very much for chatting with us, Deral.
You can read Deral’s full report here: Safety Implications of Improper Removal of Medical Infusion Pumps.