The December 2022 issue of IEEE Spectrum is here!

Close bar

Feds Probe Cybersecurity Dangers in Medical Devices

U.S. Homeland Security is looking into two dozen cases of possible cybersecurity flaws in heart implants and hospital devices

2 min read
Feds Probe Cybersecurity Dangers in Medical Devices
Cybersecurity researcher Billy Rios looks over a Pyxis medical supply dispenser and an infusion pump, which controls the flow of intravenous drugs into hospital patients.
Photo: Robert Galbraith / Reuters / Landov

When person’s survival is reliant upon medical implants and other devices with computer chips, the potential consequences of cybersecurity flaws can be deadly. The U.S. Department of Homeland Security is now looking into at least two dozen cases of possible cybersecurity flaws in medical devices ranging from artificial heart implants to hospital infusion pumps.

The revelations came from a senior Department of Homeland Security (DHS) official, who cautioned that the agency does not know of any cases in which hackers have targeted patients through the medical devices, according to Reuters. But the official also emphasized that the potential risks were “things that shows like ‘Homeland’ are built from,” in reference to a plotline involving a cyber attack on the U.S. president’s pacemaker.

A DHS unit called the Industrial Control Systems Cyber Emergency Response Team is investigating medical devices from companies such as Hospira, Medtronic, and St. Jude Medical, according to unnamed Reuters sources familiar with the cases. The agency wants to help manufacturers fix software bugs and other vulnerabilities that could be exploited by hackers; agency sources emphasized that the companies did not do anything wrong.

The senior official refused to disclose names of the companies involved. But Reuters discovered that the devices under investigation include implantable heart devices made by Medtronic and St. Jude Medical. The two companies make a range of heart implants such as cardiac monitors and pacemakers. Hackers who found the right exploit in a heart implant could potentially deliver a jolt of electricity to the patient’s heart or cause other potentially lethal malfunctions.

Another device being reviewed by the DHS unit is an infusion pump made by Hospira. Infusion pumps are used in hospitals to deliver drugs, pain relievers and nutrients directly into a patient’s bloodstream in certain doses. Reuters independently identified the Hospira device through private cybersecurity researchers, including one who had written a sample program that could force multiple infusion pumps to deliver lethal doses of drugs to patients. The researcher turned over his results to DHS. (In 2011, Jerome Radcliffe demonstrated such a hack by remotely disabling his own insulin pump.)

Other medical devices under investigation include medical imaging equipment and hospital networking systems, according to the senior DHS official.

DHS launched its cybersecurity investigations of medical devices two years ago. The U.S. Food and Drug Administration also recently unveiled new guidance for how companies should disclose information about the cybersecurity protection and management of their medical devices being submitted for commercial market approval.

Hackers don’t appear to have exploited such cyber vulnerabilities in medical devices so far. But the risks may only grow as an increasing number of medical devices become wirelessly connected to other devices and the Internet. Security researchers have already demonstrated attacks on cardiac defibrillators and the insulin pumps used by diabetics.

Editor’s Note: A DHS spokesperson confirmed that one of their team had spoken with Reuters and that their unit was working on a number of medical device cybserscurity flaws.

The Conversation (0)

Are You Ready for Workplace Brain Scanning?

Extracting and using brain data will make workers happier and more productive, backers say

11 min read
A photo collage showing a man wearing a eeg headset while looking at a computer screen.
Nadia Radic

Get ready: Neurotechnology is coming to the workplace. Neural sensors are now reliable and affordable enough to support commercial pilot projects that extract productivity-enhancing data from workers’ brains. These projects aren’t confined to specialized workplaces; they’re also happening in offices, factories, farms, and airports. The companies and people behind these neurotech devices are certain that they will improve our lives. But there are serious questions about whether work should be organized around certain functions of the brain, rather than the person as a whole.

To be clear, the kind of neurotech that’s currently available is nowhere close to reading minds. Sensors detect electrical activity across different areas of the brain, and the patterns in that activity can be broadly correlated with different feelings or physiological responses, such as stress, focus, or a reaction to external stimuli. These data can be exploited to make workers more efficient—and, proponents of the technology say, to make them happier. Two of the most interesting innovators in this field are the Israel-based startup InnerEye, which aims to give workers superhuman abilities, and Emotiv, a Silicon Valley neurotech company that’s bringing a brain-tracking wearable to office workers, including those working remotely.

Keep Reading ↓Show less