Feds Probe Cybersecurity Dangers in Medical Devices

null
Photo: Robert Galbraith / Reuters / Landov
Cybersecurity researcher Billy Rios looks over a Pyxis medical supply dispenser and an infusion pump, which controls the flow of intravenous drugs into hospital patients.

When person’s survival is reliant upon medical implants and other devices with computer chips, the potential consequences of cybersecurity flaws can be deadly. The U.S. Department of Homeland Security is now looking into at least two dozen cases of possible cybersecurity flaws in medical devices ranging from artificial heart implants to hospital infusion pumps.

The revelations came from a senior Department of Homeland Security (DHS) official, who cautioned that the agency does not know of any cases in which hackers have targeted patients through the medical devices, according to Reuters. But the official also emphasized that the potential risks were “things that shows like ‘Homeland’ are built from,” in reference to a plotline involving a cyber attack on the U.S. president’s pacemaker.

A DHS unit called the Industrial Control Systems Cyber Emergency Response Team is investigating medical devices from companies such as Hospira, Medtronic, and St. Jude Medical, according to unnamed Reuters sources familiar with the cases. The agency wants to help manufacturers fix software bugs and other vulnerabilities that could be exploited by hackers; agency sources emphasized that the companies did not do anything wrong.

The senior official refused to disclose names of the companies involved. But Reuters discovered that the devices under investigation include implantable heart devices made by Medtronic and St. Jude Medical. The two companies make a range of heart implants such as cardiac monitors and pacemakers. Hackers who found the right exploit in a heart implant could potentially deliver a jolt of electricity to the patient’s heart or cause other potentially lethal malfunctions.

Another device being reviewed by the DHS unit is an infusion pump made by Hospira. Infusion pumps are used in hospitals to deliver drugs, pain relievers and nutrients directly into a patient’s bloodstream in certain doses. Reuters independently identified the Hospira device through private cybersecurity researchers, including one who had written a sample program that could force multiple infusion pumps to deliver lethal doses of drugs to patients. The researcher turned over his results to DHS. (In 2011, Jerome Radcliffe demonstrated such a hack by remotely disabling his own insulin pump.)

Other medical devices under investigation include medical imaging equipment and hospital networking systems, according to the senior DHS official.

DHS launched its cybersecurity investigations of medical devices two years ago. The U.S. Food and Drug Administration also recently unveiled new guidance for how companies should disclose information about the cybersecurity protection and management of their medical devices being submitted for commercial market approval.

Hackers don’t appear to have exploited such cyber vulnerabilities in medical devices so far. But the risks may only grow as an increasing number of medical devices become wirelessly connected to other devices and the Internet. Security researchers have already demonstrated attacks on cardiac defibrillators and the insulin pumps used by diabetics.

Editor’s Note: A DHS spokesperson confirmed that one of their team had spoken with Reuters and that their unit was working on a number of medical device cybserscurity flaws.

Advertisement

Tech Talk

IEEE Spectrum’s general technology blog, featuring news, analysis, and opinions about engineering, consumer electronics, and technology and society, from the editorial staff and freelance contributors.

Newsletter Sign Up

Sign up for the Tech Alert newsletter and receive ground-breaking technology and science news from IEEE Spectrum every Thursday.

Advertisement