Healthcare providers have long detected a threat to medical devices and systems that use wireless connectivity. Hospital information systems have dealt with hackers accessing their files and corrupting their systems, but the threat posed to implanted medical devices is greater still.
In 2008, researchers at the Medical Device Security Center found that implantable cardiac defibrillators using pacemaker technology could be hacked wirelessly with potentially fatal results. These products used unencrypted radio signals, which would allow a hacker access to the device if he or she was within range.
Researchers in this study were able to access patient data, adjust the way that the device would respond to cardiac events, and induce fibrillation. Essentially, this showed that a hacker could turn a device off or administer a potentially fatal shock.
In 2011, a researcher demonstrated at the Black Hat security conference that he could hack into his own insulin pump. With only the serial number of the device, he was able to adjust the settings remotely. He also wrote a program that could cycle through possible numbers to find the serial number for the targeted device. This would give the hacker the ability to administer a potentially lethal dose of insulin. Though both attacks were only hypothetical, this research shined a bright light on a glaring flaw in the way that wireless medical devices function.
Getting the Government Involved
The researcher who hacked his insulin pump successfully brought mainstream attention to the issue of cybersecurity for medical devices. Reps Anna Eshoo (D-CA) and Ed Markey (D-MA) called on the Government Accountability Office to examine the safety of wireless medical devices. In 2012, the Information Security and Privacy Advisory Board urged the FDA to take action to ensure that medical devices are secure.
Following a panel discussion on the topic, the board noted several prominent issues. Among them were a lack of government accountability and oversight for cybersecurity of medical devices and the vulnerability of medical devices in the unsecured home environment. The board recommended that the FDA take full government responsibility for overseeing cybersecurity of medical devices.
FDA Responses to Medical Device Cybersecurity
In June 2013, the FDA issued draft guidance titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” The draft identifies potential risks associated with medical devices and addresses premarket submissions for these devices including premarket notification, premarket approval applications, and product development protocols. The same month, the FDA published “Cybersecurity for Medical Devices and Hospital Networks: FDA Safety Communication.” This document urges device manufacturers and healthcare facilities to actively put safeguards in place that will protect medical devices from cyberattack.
Less than a year later, the FDA and National Health Information Sharing and Analysis Center entered into a Memorandum of Understanding. The collaboration was formed to encourage public health stakeholders to pursue new innovations in cybersecurity. It also hopes to create a foundation of trust within the public health sector where manufacturers and healthcare providers can openly share cybersecurity vulnerabilities and work together to resolve these problems.
The FDA’s Public Workshop on Medical Device and Healthcare Cybersecurity
October is National Cybersecurity Awareness Month, and the FDA used this opportunity to host a public workshop on October 21-22, 2014, titled “Collaborative Approaches for Medical Device and Healthcare Cybersecurity.” The workshop, held in collaboration with the Department of Homeland Security and the Department of Health and Human Services, addressed the unique security challenges present with advanced medical technology today.
The workshop aimed to create a collaborative environment where participants could address risk-assessment frameworks for medical devices, identify security challenges in the industry, and develop tools for creating a cybersecurity program for the sector. The workshop agenda included such topics as “Cybersecurity Gaps and Challenges: Need to Share vs. Need to Secure” and “Models for Information Sharing and Shared Risk Assessment.”
The Real Dangers of Medical Device Hacking
It’s clear that medical device hacking is a pressing concern and that vulnerabilities can pose a very real threat. In 2013, former Vice President Dick Cheney revealed that he had wireless capabilities disabled in his pacemaker when the device was implanted in 2007. Though this predates the mass media coverage of cybersecurity threats to medical devices, it demonstrates how very real the threat may be. In an interview with CBS, Cheney said, “I was aware of the danger, if you will, that existed.”
The television show “Homeland” highlighted the potential threat posed to medical devices by working a cybersecurity attack into its plotline. While some could argue that this is just fictional television drama, Cheney said that he found the plot twist credible.
While medical devices and systems have long been vulnerable to hackers, the growing concern now relates to implantable devices as more of these are coming with wireless connectivity. Customers want insulin pumps that they can monitor with smartphone apps. Pacemakers that can transmit patient data to medical providers help the providers make informed decisions in emergency situations. The benefits of this type of technology are many, but where doctors and patients have access to their devices and data, there’s the risk of hackers working their way in as well.
Fortunately, though the potential for hacking is there, there have been no recorded cases of malicious hacking of implanted medical devices. Researchers have highlighted the potential for these hacks on either their own devices or those that were not actually implanted in a patient.
Though medical device hacking is still primarily a hypothetical concern, it’s prudent that the FDA address it now, as it did with its workshop on the topic. With new security measures in place, patients may rest easier knowing that their devices are being protected.