Hackers look for every opportunity to infiltrate businesses’ computer networks. And now – frighteningly – that includes through medical equipment and devices at hospitals, doctor’s offices, at home and some that are even implanted into patients’ bodies.
While most hackers are seeking an entry into a health care operation’s larger business and data records – to either sell on the black market or use to extract a cash ransom payment – such infiltrations also give hackers the opportunity to mettle in people’s health and even cause death.
In 2018, medical device maker Medtronic temporarily shut down part of its network after hackers demonstrated they can remotely manipulate a pacemaker – an implanted device that regulates a person’s heartbeat. In 2017, the Federal Drug Administration recalled a pacemaker over concerns it could be hacked. Even a decade ago, a former hacker demonstrated at the Black Hat USA security conference that it’s relatively easy to commandeer an insulin pump and deliver lethal doses to patients.
Former Indiana State Police (ISP) trooper turned cybersecurity expert Nick Sturgeon has seen enough.
Sturgeon left law enforcement in 2015 to take on another kind of bad guy. Since his departure from the ISP, he earned a master’s degree from Purdue University in digital forensics and is working on a doctorate in medical device security.
After running two cyber security programs for the state of Indiana, Sturgeon took a post as director of information security for Indiana University Health. While Sturgeon is no surgeon, officials at IU Health say his work could have lifesaving impacts on patients’ lives.
Sturgeon this year helped launch the IU Health Lab at the 16 Tech innovation district on the west edge of downtown Indianapolis.
Sturgeon leads an elite team of four that is dedicated to figuring out how to hack into medical devices and equipment before the hackers do, and then designing digital protection to prevent such hacks. His team is also using digital forensics to be able to discover how a hack on a medical device happened and identify the perpetrator.
The lab, which opened May 1, is the first of its kind in the state and one of only a very small few like it in the nation.
While the mission relies on advanced technical capabilities, the lab has something of a low-tech vibe. And that’s the way Sturgeon likes it. It’s meant to resemble the garage atmosphere that gave birth to Apple and other now high-flying tech companies. Sturgeon wants his team to be nimble and fast. “With this mission, time is of the essence,” he emphasizes.
Hospitals are increasingly connecting devices to the internet to provide doctors and other health care providers real-time information on how a patient is responding to drugs and treatments. That connectivity triggers a growing risk of getting hacked. Studies by global technology research firm Comparitech found that ransomware attacks on hospitals and health care firms resulted in more than $20 billion in lost revenue, lawsuits and ransom paid in 2020 alone.
The pandemic, Sturgeon explains, has made his team’s mission even more critical.
“Medical devices have had internet or Bluetooth connectivity for more than 10 years. Any maintenance issues or biometric readings were done in hospitals or doctors’ offices prior to the pandemic,” Sturgeon explains. “Now, with COVID … a lot of the routine checkups are being done from a patient’s home, and that communication starts at the patient’s home router. And the security of those, who knows? Most people don’t think of cyber hygiene. That opens up the number of points of attack, and we need to be ready for that.”
The lab is also off of IU Health’s campus by design. Sturgeon wants all his team’s hacking efforts to be on devices that are offline and even physically remote from IU Health’s operational devices and networks.
“We’re off the network so we don’t have to worry about impacting any devices that are in clinical care,” Sturgeon stresses. “This space helps with collaboration as well.” There are no cubicles, walls and other impediments to free-wheeling conversations.
A look around the lab drives home the point how many devices within a health care facility could be targeted by hackers. Sturgeon and his staff work on myriad devices, including electrocardiogram machines, anesthesia equipment, infusion machines and patient monitors used in virtually every hospital room. Sturgeon is lining up partners to work on X-ray and MRI machines as well. He says he can’t yet divulge the partnerships, but expects to do so early next year.
While Sturgeon and his staff are trying to stay a step ahead of hackers, he’s not trying to keep what IU Health is doing at the lab a secret.
“Whether it’s academic institutions, other health systems, independent researchers or possibly health tech companies, we want to collaborate where it makes sense to strengthen our fight against cybercrime,” Sturgeon says. “Openness, transparency and collaboration in our research have been core values for this lab since its inception.”
Sturgeon says interest from potential collaborators, including Indiana medical device manufacturers, has been high. “Every conversation we have,” he says, “leads to three or four more.”
