When person’s survival is reliant upon medical implants and other devices with computer chips, the potential consequences of cybersecurity flaws can be deadly. The U.S. Department of Homeland Security is now looking into at least two dozen cases of possible cybersecurity flaws in medical devices ranging from artificial heart implants to hospital infusion pumps.
The revelations came from a senior Department of Homeland Security (DHS) official, who cautioned that the agency does not know of any cases in which hackers have targeted patients through the medical devices, according to Reuters. But the official also emphasized that the potential risks were “things that shows like ‘Homeland’ are built from,” in reference to a plotline involving a cyber attack on the U.S. president’s pacemaker.
A DHS unit called the Industrial Control Systems Cyber Emergency Response Team is investigating medical devices from companies such as Hospira, Medtronic, and St. Jude Medical, according to unnamed Reuters sources familiar with the cases. The agency wants to help manufacturers fix software bugs and other vulnerabilities that could be exploited by hackers; agency sources emphasized that the companies did not do anything wrong.
The senior official refused to disclose names of the companies involved. But Reuters discovered that the devices under investigation include implantable heart devices made by Medtronic and St. Jude Medical. The two companies make a range of heart implants such as cardiac monitors and pacemakers. Hackers who found the right exploit in a heart implant could potentially deliver a jolt of electricity to the patient’s heart or cause other potentially lethal malfunctions.
Another device being reviewed by the DHS unit is an infusion pump made by Hospira. Infusion pumps are used in hospitals to deliver drugs, pain relievers and nutrients directly into a patient’s bloodstream in certain doses. Reuters independently identified the Hospira device through private cybersecurity researchers, including one who had written a sample program that could force multiple infusion pumps to deliver lethal doses of drugs to patients. The researcher turned over his results to DHS. (In 2011, Jerome Radcliffe demonstrated such a hack by remotely disabling his own insulin pump.)
Other medical devices under investigation include medical imaging equipment and hospital networking systems, according to the senior DHS official.
DHS launched its cybersecurity investigations of medical devices two years ago. The U.S. Food and Drug Administration also recently unveiled new guidance for how companies should disclose information about the cybersecurity protection and management of their medical devices being submitted for commercial market approval.
Hackers don’t appear to have exploited such cyber vulnerabilities in medical devices so far. But the risks may only grow as an increasing number of medical devices become wirelessly connected to other devices and the Internet. Security researchers have already demonstrated attacks on cardiac defibrillators and the insulin pumps used by diabetics.
Editor’s Note: A DHS spokesperson confirmed that one of their team had spoken with Reuters and that their unit was working on a number of medical device cybserscurity flaws.
Jeremy Hsu has been working as a science and technology journalist in New York City since 2008. He has written on subjects as diverse as supercomputing and wearable electronics for IEEE Spectrum. When he’s not trying to wrap his head around the latest quantum computing news for Spectrum, he also contributes to a variety of publications such as Scientific American, Discover, Popular Science, and others. He is a graduate of New York University’s Science, Health & Environmental Reporting Program.