Cybersecurity Flaws in Medical Devices Lead to Homeland Security Investigation

Infusion pumps, heart devices and insulin pumps may be particularly vulnerable to cyberattacks, and are among the devices targeted by a new safety investigation launched by government.  

According to a report by Reuters News, the U.S. Department of Homeland Security (DHS) is investigating at least two dozen cases of suspected cybersecurity flaws in medical devices and hospital equipment which could be exploited by hackers.

The products are under review by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), including Hospira infusion pumps that are designed to deliver medication directly to a patient’s bloodstream, as well as implantable heart devices manufactured by Medtronic Inc and St. Jude Medical Inc.

Reuters indicates that information about the investigation into potential cybersecurity flaws in the medical devices was received from an anonymous senior level official in the DHS. The source indicated that they were unaware of any specific instances where hackers were able to attack patients through these devises, but the devices were being investigated for possible vulnerabilities.

The main concern is hackers with malicious intent will gain control of devises remotely and create problems, such as causing an infusion pump to overdose a patient with drugs or forcing heart implants to receive a lethal jolt of electricity.

In 2012, a demonstration at the RSA security conference in San Francisco exposed potential security flaws with certain Medtronic insulin pumps, with hackers showing how they were able to remotely access the medical devices from 300 feet away.

Other security flaws in pumps have allowed hackers to scan an area for the devices, hack them and then cause the pump to deliver a potentially fatal dose of insulin.

Plugging the Cyber Vulnerabilities

ICS-CERT indicates that it is working with the manufacturers to repair software vulnerabilities and coding bugs that hackers can use to attack equipment or expose confidential data.

While many of the scenarios seem farfetched, the Reuters News source suggested that it is not out of the realm of possibility to cause severe injury or death.

ICS-CERT started examining the medical equipment two years ago. Traditional thinking believed the products only needed to be protected from unintentional hacks, now they believe intentional hacks must be guarded against as well.

Earlier this month the FDA issued final guidance on the cybersecurity of medical devices. The guidance suggested ways that manufacturers should handle security concerns surrounding new technology used in medical devices.

The FDA also called on manufacturers to consider hacks during the initial design of medical devices, asking manufacturers to inform the agency about potential risks and how to handle them.

In 2013, the FDA urged medical device manufacturers to take new measures to increase cybersecurity. The FDA safety warning called on health care facilities and manufacturers to take steps to safeguard their networks and information before and attack occurs. The recommendations included, conducting security software updates, install patches and refraining from uncontrolled distribution of passwords.