About two dozen cases of suspected cybersecurity vulnerabilities in medical devices are under investigation by the US Department of Homeland Security, according to a senior official.
The devices under inspection by DHS’s Industrial Control Cyber Emergency Response Team (ICS-CERT) include implantable heart devices from St Jude Medical and Medtronic and an infusion pump from Hospira, according to a Reuters report.
Although no instances of hackers using these devices to attack patients have been reported, the US government is concerned that cyber criminals may try to gain remote access to the products.
After gaining remote access, criminals can instruct an infusion pump to overdose a patient with drugs, or deliver a deadly jolt of electricity with a heart implant device, according to the sources cited by Reuters.
“These are the things that shows like ‘Homeland’ are built from,” the DHS official told Reuters, referring to the American political thriller television series in which a fictional vice president of the U.S. is assassinated by hacking into his pacemaker.”
“It isn’t out of the realm of the possible to cause severe injury or death,” the official said, adding that “the agency is working with manufacturers to detect and fix software vulnerabilities that could help hackers access confidential data and control medical devices.”
St Jude Medical, Medtronic and Hospira declined to comment on the investigations. All three companies stated that they take cyber security seriously and made efforts to improve product safety, but all of them declined to provide further details.
A senior DHS official said that the agency started reviewing healthcare equipment two years ago, when cyber security researchers started taking interest in medical devices featuring wireless technology, software, computer chips and internet connectivity.
The two dozen cases currently being investigated include medical imaging equipment.
Previous cases and demonstrations
Modern medical devices these days are all connected to the Internet in one way or another, which makes checking them and making adjustments easy.
However, the wireless connectivity presents an opportunity for cyber criminals to exploit the system and access the devices to conduct attacks.
Security researcher Jay Radcliffe explained how wireless attacks could remotely control insulin pumps and potentially kill victims three years ago. He later decided not to use his Medtronic insulin pump because he didn’t feel safe wearing it.
Furthermore, the feds were pressed to protect wireless devices from cyber criminals two years ago after security researchers highlighted implantable medical device insecurities. Other researchers made an anti-hacking jamming device that became a ‘shield’ to stop attackers from launching lethal pacemaker attacks.
In 2014, Europol (Internet Crime Threat Assessment) mentioned targeted attacks including ‘possible death’ and referenced a cybersecurity protection claiming that the first ever public case of murder through hacked Internet-connected devices will be seen by the end of 2014.
The current probe came after the FDA (US Food and Drug Administration) announced guidelines for healthcare providers and manufacturers to increase security in medical devices.
Chief Scientist at the FDA’s Center for Devices and Radiological Health, William Maisel, didn’t comment on the DHS probe, but stated the following to Reuters:
“The conventional wisdom in the past was that products only had to be protected from unintentional threats. Now they also have to be protected from intentional threats too.”