Feds Probe Cybersecurity Dangers in Medical Devices

U.S. Homeland Security is looking into two dozen cases of possible cybersecurity flaws in heart implants and hospital devices

2 min read
Feds Probe Cybersecurity Dangers in Medical Devices
Cybersecurity researcher Billy Rios looks over a Pyxis medical supply dispenser and an infusion pump, which controls the flow of intravenous drugs into hospital patients.
Photo: Robert Galbraith / Reuters / Landov

When person’s survival is reliant upon medical implants and other devices with computer chips, the potential consequences of cybersecurity flaws can be deadly. The U.S. Department of Homeland Security is now looking into at least two dozen cases of possible cybersecurity flaws in medical devices ranging from artificial heart implants to hospital infusion pumps.

The revelations came from a senior Department of Homeland Security (DHS) official, who cautioned that the agency does not know of any cases in which hackers have targeted patients through the medical devices, according to Reuters. But the official also emphasized that the potential risks were “things that shows like ‘Homeland’ are built from,” in reference to a plotline involving a cyber attack on the U.S. president’s pacemaker.

A DHS unit called the Industrial Control Systems Cyber Emergency Response Team is investigating medical devices from companies such as Hospira, Medtronic, and St. Jude Medical, according to unnamed Reuters sources familiar with the cases. The agency wants to help manufacturers fix software bugs and other vulnerabilities that could be exploited by hackers; agency sources emphasized that the companies did not do anything wrong.

The senior official refused to disclose names of the companies involved. But Reuters discovered that the devices under investigation include implantable heart devices made by Medtronic and St. Jude Medical. The two companies make a range of heart implants such as cardiac monitors and pacemakers. Hackers who found the right exploit in a heart implant could potentially deliver a jolt of electricity to the patient’s heart or cause other potentially lethal malfunctions.

Another device being reviewed by the DHS unit is an infusion pump made by Hospira. Infusion pumps are used in hospitals to deliver drugs, pain relievers and nutrients directly into a patient’s bloodstream in certain doses. Reuters independently identified the Hospira device through private cybersecurity researchers, including one who had written a sample program that could force multiple infusion pumps to deliver lethal doses of drugs to patients. The researcher turned over his results to DHS. (In 2011, Jerome Radcliffe demonstrated such a hack by remotely disabling his own insulin pump.)

Other medical devices under investigation include medical imaging equipment and hospital networking systems, according to the senior DHS official.

DHS launched its cybersecurity investigations of medical devices two years ago. The U.S. Food and Drug Administration also recently unveiled new guidance for how companies should disclose information about the cybersecurity protection and management of their medical devices being submitted for commercial market approval.

Hackers don’t appear to have exploited such cyber vulnerabilities in medical devices so far. But the risks may only grow as an increasing number of medical devices become wirelessly connected to other devices and the Internet. Security researchers have already demonstrated attacks on cardiac defibrillators and the insulin pumps used by diabetics.

Editor’s Note: A DHS spokesperson confirmed that one of their team had spoken with Reuters and that their unit was working on a number of medical device cybserscurity flaws.

The Conversation (0)

This CAD Program Can Design New Organisms

Genetic engineers have a powerful new tool to write and edit DNA code

11 min read
A photo showing machinery in a lab

Foundries such as the Edinburgh Genome Foundry assemble fragments of synthetic DNA and send them to labs for testing in cells.

Edinburgh Genome Foundry, University of Edinburgh

In the next decade, medical science may finally advance cures for some of the most complex diseases that plague humanity. Many diseases are caused by mutations in the human genome, which can either be inherited from our parents (such as in cystic fibrosis), or acquired during life, such as most types of cancer. For some of these conditions, medical researchers have identified the exact mutations that lead to disease; but in many more, they're still seeking answers. And without understanding the cause of a problem, it's pretty tough to find a cure.

We believe that a key enabling technology in this quest is a computer-aided design (CAD) program for genome editing, which our organization is launching this week at the Genome Project-write (GP-write) conference.

With this CAD program, medical researchers will be able to quickly design hundreds of different genomes with any combination of mutations and send the genetic code to a company that manufactures strings of DNA. Those fragments of synthesized DNA can then be sent to a foundry for assembly, and finally to a lab where the designed genomes can be tested in cells. Based on how the cells grow, researchers can use the CAD program to iterate with a new batch of redesigned genomes, sharing data for collaborative efforts. Enabling fast redesign of thousands of variants can only be achieved through automation; at that scale, researchers just might identify the combinations of mutations that are causing genetic diseases. This is the first critical R&D step toward finding cures.

Keep Reading ↓ Show less