Michael Barbella, Managing Editor11.10.21
It should have been a routine birth.
Terrianni Kidd’s final ultrasound, conducted a week before her delivery, showed a healthy baby and normal womb. A seamless end to a trouble-free pregnancy was nigh.
Or so Kidd thought.
There was nothing blatantly amiss at Springhill Memorial Hospital the day Kidd arrived to deliver her child. But privately, the 263-bed acute care facility was contending with a ransomware attack that disabled its computers, wireless devices, and electronic equipment, including life-saving fetal cardiac monitors.
With those monitors dark, the hospital’s labor and delivery staff relied upon proximity and bedside fetal heart monitors to track embryonic health. Kidd was unaware of the change (and cyberattack, actually) during her stay at Springhill Memorial, she argues in a wrongful death/negligence lawsuit she filed against the Mobile, Ala.-based institution last January.
About an hour before Kidd gave birth, her monitor detected an accelerated fetal heartbeat—a symptom indicative of low blood and oxygen levels. The deficiency has various causes, one of which is nuchal cord, better known as umbilical cord around the neck.
Increased fetal heart rates usually result in Caesarean section deliveries because the baby needs immediate treatment. But Kidd had a traditional vaginal delivery on July 17, 2019, giving birth to an unresponsive girl with the umbilical cord wrapped around her neck.
Diagnosed with severe brain damage, acute kidney injury, and other medical conditions, Kidd’s daughter—Nicko Silar—died nine months later after months of intensive care at another facility.
Springhill Memorial, pursuant to published reports, denies wrongdoing, contending it was not bound by Yellowhammer State law to inform Kidd of the cyberattack and did not create a “false, misleading and deceptive narrative” about the incident, as the lawsuit claims. The hospital wants the latter charge dismissed.
The lawsuit is scheduled for trial next fall; if Kidd’s claims are proven, Silar’s death would be the first conclusively tied to a cyberattack. A Kidd victory also would underscore the grave danger posed by healthcare hacking, which has accelerated significantly in recent years.
Healthcare-related cyberattacks more than doubled in 2020, with ransomware accounting for 28 percent of all assaults, an IBM X-Force report concluded. The industry was the seventh-most targeted sector, up from last place in 2019, and accounted for 6.6 percent of all attacks against the top 10 industries, statistics indicate.
Researchers attribute the rise in healthcare cyberattacks to the pandemic and a surge in ransomware exploits against hospitals. “In essence, the pandemic reshaped what is considered critical infrastructure today, and attackers took note,” explained Nick Rossman, global threat intelligence lead for IBM Security X-Force. “Attackers’ victimology shifted as the COVID-19 timeline of events unfolded, indicating yet again, the adaptability, resourcefulness, and persistence of cyber adversaries.”
That inventiveness and persistence has subjected healthcare organizations to a constant bombardment of cyberattacks and related disruptions. Seven of 10 healthcare systems hit with a ransomware attack in the last two years faced delays in procedures and test results, and 65 percent transferred patients more frequently, Ponemon Institute data show. One in five also experienced higher mortality rates.
The numbers substantiate a May FBI warning about the public danger and potential care delays engendered by ransomware attacks against healthcare entities and first responders.
“Targeting healthcare networks can delay access to vital information, potentially affecting care and treatment of patients including cancellation of procedures, rerouting to unaffected facilities, and compromise of Protected Health Information,” the FBI alert stated.
Such consequences are no longer conceptual, though: In mid-October alone, ransomware attacks crippled IT systems at two Indiana hospitals and a 495-bed Israeli medical center, forcing the latter facility to cancel some non-urgent procedures and install alternative computer systems.
Ransomware also disarmed Olympus Corp.’s IT systems in the Americas around the same time, but the endoscopic equipment behemoth escaped unharmed without sacrificing sensitive data. And while Olympus did not disclose its attacker’s identity, ransom notes found on the impacted systems implicated BlackMatter, a new ransomware threat first detected in late July, technology website Bleeping Computer reported.
The rise in ransomware attacks—and their grave repercussions—has spawned a flurry of U.S. FDA guidance and safety communications in recent years. In June, the agency voiced its support for national standards and guidelines addressing a Software Bill of Materials (SBOM), an electronically readable inventory of third-party medical device components. The FDA maintains that SBOMs are key to securing the software supply chain and critical to managing patient safety risks.
“Publicly noted cybersecurity incidents in 2021 include ransomware disabling the Irish Healthcare Service, ransomware disrupting a hospital for weeks, and a fundamentally new problem where ransomware remediation disrupted the cloud services necessary for critical function of cancer radiation therapy rather than simply disrupting electronic health record systems and other, more traditional hospital IT infrastructure,” the FDA said in response to a National Institute of Standards and Technology call for position papers on cybersecurity enhancements. “Such increasingly common ransomware incidents highlight the ungraceful failure of perimeter-based firewalls and the safety consequences of not separating OT from IT by design. Currently, there is no statutory requirement (pre- or post-market) that expressly compels medical device manufacturers to address cybersecurity.”
The FDA is working to fix that oversight, however, by seeking the necessary “legislative authorities” to issue such mandates. Specifically, the agency wants medtech manufacturers to include SBOMs with their premarket submissions, and a strategy for updating and patching security into a product’s design. The FDA also is lobbying for new postmarket authority to require that manufacturers adopt policies and procedures to disclose cybersecurity vulnerabilities in real-time, as they are identified.
“The degree of medical device connectedness has really changed in the last 10 years. The risks have been the same, but the consequences are changing just because of how much we depend on them [devices],” noted Kevin Fu, Ph.D., acting director of medical device cybersecurity at FDA’s Center for Devices and Radiological Health. Appointed to his temporary (one-year) position in early February, Fu is on loan from the University of Michigan, where he is an associate professor and chief scientist at the Archimedes Center for Medical Device Security. Fu and his doctoral students co-founded medical device cybersecurity startup Virta Laboratories Inc.
“Earlier this year [we] entered a watershed moment for medical device security [with] a radiation therapy product. Instead of ransomware randomly disabling access to electronic health records, which is still quite inconvenient, the ransomware in this case, or the remediation process to the ransomware, caused an outage such that patients could not receive that particular therapy from the device,” Fu said. “That was something we haven’t seen before. You can’t have a safe and effective medical device if it’s unavailable. This is the new challenge.”
Assisting the medtech industry with this latest challenge is the Center for Medical Device Cybersecurity (CMDC), an entity that launched earlier this fall at the University of Minnesota (Minneapolis-St. Paul). Founded and partly funded by five large healthcare firms—Abbott Laboratories, Boston Scientific Corp., Medtronic plc, Optum, and Smiths Medical—the CMDC will act as a collaborative hub for discovery, outreach, and workforce training in medical device security.
The CMDC is located within the Technological Leadership Institute, a center within the College of Science and Engineering that focuses on developing leaders in various tech industries. Other CMDC collaborators include the Earl E. Bakken Medical Devices Center, Technological Leadership Institute, and the Office of the Vice President for Research.
“It’s been a sea change over the last 10 to 15 years,” Fu said. “Fifteen years ago, the medical device community was still in the ‘Is this a problem?’ [stage] and it’s clear to me we are no longer in the ‘Is this a problem?’ [stage] but more of a ‘What can the [medical] community do to defend itself now that there are nation-states and organized real-threat actors causing harm and damaging the safety and effectiveness of medical devices?”
Good question, but a difficult one to answer.
Be sure to review the other portions of the 2021 Year in Review feature:
MDR/IVDR Rollout and Challenges
Supply Chain Struggles for Medtech Manufacturers
M&A Accelerates During the Pandemic
Terrianni Kidd’s final ultrasound, conducted a week before her delivery, showed a healthy baby and normal womb. A seamless end to a trouble-free pregnancy was nigh.
Or so Kidd thought.
There was nothing blatantly amiss at Springhill Memorial Hospital the day Kidd arrived to deliver her child. But privately, the 263-bed acute care facility was contending with a ransomware attack that disabled its computers, wireless devices, and electronic equipment, including life-saving fetal cardiac monitors.
With those monitors dark, the hospital’s labor and delivery staff relied upon proximity and bedside fetal heart monitors to track embryonic health. Kidd was unaware of the change (and cyberattack, actually) during her stay at Springhill Memorial, she argues in a wrongful death/negligence lawsuit she filed against the Mobile, Ala.-based institution last January.
About an hour before Kidd gave birth, her monitor detected an accelerated fetal heartbeat—a symptom indicative of low blood and oxygen levels. The deficiency has various causes, one of which is nuchal cord, better known as umbilical cord around the neck.
Increased fetal heart rates usually result in Caesarean section deliveries because the baby needs immediate treatment. But Kidd had a traditional vaginal delivery on July 17, 2019, giving birth to an unresponsive girl with the umbilical cord wrapped around her neck.
Diagnosed with severe brain damage, acute kidney injury, and other medical conditions, Kidd’s daughter—Nicko Silar—died nine months later after months of intensive care at another facility.
Springhill Memorial, pursuant to published reports, denies wrongdoing, contending it was not bound by Yellowhammer State law to inform Kidd of the cyberattack and did not create a “false, misleading and deceptive narrative” about the incident, as the lawsuit claims. The hospital wants the latter charge dismissed.
The lawsuit is scheduled for trial next fall; if Kidd’s claims are proven, Silar’s death would be the first conclusively tied to a cyberattack. A Kidd victory also would underscore the grave danger posed by healthcare hacking, which has accelerated significantly in recent years.
Healthcare-related cyberattacks more than doubled in 2020, with ransomware accounting for 28 percent of all assaults, an IBM X-Force report concluded. The industry was the seventh-most targeted sector, up from last place in 2019, and accounted for 6.6 percent of all attacks against the top 10 industries, statistics indicate.
Researchers attribute the rise in healthcare cyberattacks to the pandemic and a surge in ransomware exploits against hospitals. “In essence, the pandemic reshaped what is considered critical infrastructure today, and attackers took note,” explained Nick Rossman, global threat intelligence lead for IBM Security X-Force. “Attackers’ victimology shifted as the COVID-19 timeline of events unfolded, indicating yet again, the adaptability, resourcefulness, and persistence of cyber adversaries.”
That inventiveness and persistence has subjected healthcare organizations to a constant bombardment of cyberattacks and related disruptions. Seven of 10 healthcare systems hit with a ransomware attack in the last two years faced delays in procedures and test results, and 65 percent transferred patients more frequently, Ponemon Institute data show. One in five also experienced higher mortality rates.
The numbers substantiate a May FBI warning about the public danger and potential care delays engendered by ransomware attacks against healthcare entities and first responders.
“Targeting healthcare networks can delay access to vital information, potentially affecting care and treatment of patients including cancellation of procedures, rerouting to unaffected facilities, and compromise of Protected Health Information,” the FBI alert stated.
Such consequences are no longer conceptual, though: In mid-October alone, ransomware attacks crippled IT systems at two Indiana hospitals and a 495-bed Israeli medical center, forcing the latter facility to cancel some non-urgent procedures and install alternative computer systems.
Ransomware also disarmed Olympus Corp.’s IT systems in the Americas around the same time, but the endoscopic equipment behemoth escaped unharmed without sacrificing sensitive data. And while Olympus did not disclose its attacker’s identity, ransom notes found on the impacted systems implicated BlackMatter, a new ransomware threat first detected in late July, technology website Bleeping Computer reported.
The rise in ransomware attacks—and their grave repercussions—has spawned a flurry of U.S. FDA guidance and safety communications in recent years. In June, the agency voiced its support for national standards and guidelines addressing a Software Bill of Materials (SBOM), an electronically readable inventory of third-party medical device components. The FDA maintains that SBOMs are key to securing the software supply chain and critical to managing patient safety risks.
“Publicly noted cybersecurity incidents in 2021 include ransomware disabling the Irish Healthcare Service, ransomware disrupting a hospital for weeks, and a fundamentally new problem where ransomware remediation disrupted the cloud services necessary for critical function of cancer radiation therapy rather than simply disrupting electronic health record systems and other, more traditional hospital IT infrastructure,” the FDA said in response to a National Institute of Standards and Technology call for position papers on cybersecurity enhancements. “Such increasingly common ransomware incidents highlight the ungraceful failure of perimeter-based firewalls and the safety consequences of not separating OT from IT by design. Currently, there is no statutory requirement (pre- or post-market) that expressly compels medical device manufacturers to address cybersecurity.”
The FDA is working to fix that oversight, however, by seeking the necessary “legislative authorities” to issue such mandates. Specifically, the agency wants medtech manufacturers to include SBOMs with their premarket submissions, and a strategy for updating and patching security into a product’s design. The FDA also is lobbying for new postmarket authority to require that manufacturers adopt policies and procedures to disclose cybersecurity vulnerabilities in real-time, as they are identified.
“The degree of medical device connectedness has really changed in the last 10 years. The risks have been the same, but the consequences are changing just because of how much we depend on them [devices],” noted Kevin Fu, Ph.D., acting director of medical device cybersecurity at FDA’s Center for Devices and Radiological Health. Appointed to his temporary (one-year) position in early February, Fu is on loan from the University of Michigan, where he is an associate professor and chief scientist at the Archimedes Center for Medical Device Security. Fu and his doctoral students co-founded medical device cybersecurity startup Virta Laboratories Inc.
“Earlier this year [we] entered a watershed moment for medical device security [with] a radiation therapy product. Instead of ransomware randomly disabling access to electronic health records, which is still quite inconvenient, the ransomware in this case, or the remediation process to the ransomware, caused an outage such that patients could not receive that particular therapy from the device,” Fu said. “That was something we haven’t seen before. You can’t have a safe and effective medical device if it’s unavailable. This is the new challenge.”
Assisting the medtech industry with this latest challenge is the Center for Medical Device Cybersecurity (CMDC), an entity that launched earlier this fall at the University of Minnesota (Minneapolis-St. Paul). Founded and partly funded by five large healthcare firms—Abbott Laboratories, Boston Scientific Corp., Medtronic plc, Optum, and Smiths Medical—the CMDC will act as a collaborative hub for discovery, outreach, and workforce training in medical device security.
The CMDC is located within the Technological Leadership Institute, a center within the College of Science and Engineering that focuses on developing leaders in various tech industries. Other CMDC collaborators include the Earl E. Bakken Medical Devices Center, Technological Leadership Institute, and the Office of the Vice President for Research.
“It’s been a sea change over the last 10 to 15 years,” Fu said. “Fifteen years ago, the medical device community was still in the ‘Is this a problem?’ [stage] and it’s clear to me we are no longer in the ‘Is this a problem?’ [stage] but more of a ‘What can the [medical] community do to defend itself now that there are nation-states and organized real-threat actors causing harm and damaging the safety and effectiveness of medical devices?”
Good question, but a difficult one to answer.
Be sure to review the other portions of the 2021 Year in Review feature:
MDR/IVDR Rollout and Challenges
Supply Chain Struggles for Medtech Manufacturers
M&A Accelerates During the Pandemic