What the hack?

There’s no debating it. Medical technology is a must-have today and will be in the future. From electronic anesthetic records to wireless infusion pumps, pacemakers, and other implanted devices, clinicians place implicit trust in the functionality and security of these technologies. When and if this technology is compromised, the threat to patient care can be serious and widespread.

Jeff Tully, M.D.

Jeff Tully, M.D., a Senior Anesthesiology Resident at UC Davis Medical Center, and Kristin M. Ondecko Ligda, M.D., FASA, an Assistant Professor of Anesthesiology at the University of Pittsburgh School of Medicine, will introduce the implications of cyber attacks on medical technology and infrastructure during the Monday session “Where Bits and Bytes Meet Flesh and Blood: The Patient Safety Threat of Medical Cybersecurity.”

“Medicine has become increasingly reliant on connected medical devices and technologic infrastructure. The modern hospital depends on networked computers for most workflows, from the electronic medical record used by clinicians at the bedside to laboratory and radiology systems that support ancillary studies and services,” Dr. Tully said. “The average hospital room has between a half-dozen and a dozen connected medical devices responsible for monitoring patient physiology or providing therapy, a proliferation taken to the extreme in ICUs where incredibly sophisticated technologies are responsible for life-sustaining functions.”

Where Bits and Bytes Meet Flesh and Blood: The Patient Safety Threat of Medical Cybersecurity

9:30 – 10:30 a.m.


Computer security researchers have demonstrated critical weaknesses in many tools that populate the medical technology ecosystem, from in-network soft spots that predispose hospitals to crippling ransomware viruses to bugs in the software of a surgical robot.

According to Dr. Tully, the increasing degree to which devices and infrastructure are connected to computer networks (including the internet) is due in part to enhanced functionality such connections allows. This includes remote monitoring by clinical specialists in underserved areas, collection of huge amounts of clinical informatics data for complex population health analysis and research, and regulatory mechanisms that have encouraged increasing connectivity within the health care system.

“There is a significant opportunity and promise with these types of technologies, but that same connectivity can be dangerous if cybersecurity vulnerabilities are exploited,” he said.

Less fully understood, however, are the potential patient safety impacts of such vulnerabilities, and what steps providers and health care delivery organizations can take to prevent them. The O.R., for example, is incredibly connected, Dr. Tully said, including anesthesia workstations and monitor systems that dump data directly into servers for real-time EMR upload, infusion pumps used to deliver continuous drips (many new models update their onboard drug libraries wirelessly), surgical robots, and drug cabinets that store anesthetic and emergency drugs. Anesthesiologists rely on an extensive collection of electronic tools and technologies to safely bring patients through the perioperative period.

In fact, Dr. Ligda said, security researchers have documented numerous examples of software and hardware vulnerabilities in each of the aforementioned devices.

“Clinical implications can be extrapolated directly from the consequences of acute failure of these tools–malfunction of an infusion pump leading to an unintended bolus or cessation of a drug, change to mixtures of gases coming from an anesthesia workstation, intraoperative failure of a surgical robot, etc.,” she said.

In response to common technology failures in the O.R. and potential medical cyberattacks, Dr. Tully encourages clinicians to create a “complete and thorough anesthetic plan” that includes contingencies for unexpected or dangerous situations. Anesthesia training includes learning to troubleshoot a variety of technology failures with respect to the anesthesia or surgical systems, be it gas pipelines or mechanical ventilators. A standalone oxygen source, bag mask ventilation system, suction and vasoactive/anesthetic medications are essential back-up for any situation.

Potential responses to medical cyberattacks will depend largely on the type of incident, he said, and may fall under established protocols detailed in an organization’s emergency management plan. A ransomware attack like the WannaCry virus, which infected hospitals across the U.K.’s National Health Service in 2017, may require rapid transition to non-electronic medical records and results systems, while an exploited medical device may need to be quarantined by clinical engineering and IT teams.

During the Monday session, presenters will document a number of hypothetical cases derived from medical security research to challenge attendees with scenarios of hacked medical devices and downed hospital networks. Dr. Tully will share several personal stories, including those of one researcher who purposely hacked the communication protocols of his own insulin delivery pump and of another researcher who required a pacemaker after a syncopal episode. After learning that she had third-degree heart block requiring life-long pacing, and concerned when her own doctors did not fully understand the security implications of the wireless connectivity functions of her device, the researcher turned to studying these issues as a professor of information security in Norway.

Dr. Tully said basic cybersecurity hygiene practices may be the most effective interventions a health care delivery organization can implement to reduce risk of a cyber incident. Strong password generation, workstation security and phishing awareness are all concepts that clinicians should be familiar with and practice. Two-factor authentication, network segmentation and encryption, and inventory and traffic analysis of connected devices are more advanced practices that clinical IT departments can implement to further ensure the reliability and safety of the technology we use to care for patients.

“The motto of the ASA is vigilance,” Dr. Tully said. “Anesthesiology professionals are responsible for the utilization of connected technology throughout the perioperative experience, and as such should be aware of the potential risks inherent to these tools in order to provide the safest patient care.”

Return to Archive Index