Medical Device Hacking: A Future Problem?
It sounds like something out of a science fiction movie – someone thousands of miles away remotely accesses a pacemaker in order to assassinate the user. To be fair, this was a plot device in an episode of Homeland, one of my favorite TV shows. But recently, the possibility of murder by medical device hack has become more real.
Not So Fictional
Last year, Forbes wrote about a cybersecurity conference last year called Black Hat, reporting on how vulnerable medical devices actually are to hack attacks. Although it is important to note that as of yet, no instance of medical device hacking has occurred, the seminar specifically focused on the ability to hack insulin pumps to overdose the user on insulin, among other disturbing discoveries. The conference also discussed the fact that medical devices are hardcoded with default passwords, making them easier to hack to change critical device settings. Hackers can even replace device software entirely.
Hospitals Can Be Vulnerable Too
Recent investigations have also discovered that hospital equipment can be just as easily manipulated. Scott Erven, a security expert, underwent a two-year study to determine just how vulnerable hospital equipment is to hacking. He discovered that defibrillators with Bluetooth connectivity can be hacked to deliver random shocks, or prevent a shock from occurring. He also found that medical records could be remotely altered, causing the possibility of a deadly misdiagnosis or incorrect treatment. In fact, Erven learned that most of the devices he tested were hackable in some way. Some of the most vulnerable devices are medication infusion pumps, which have web interfaces to allow nurses use to change drug dosage levels from their workstations. Apparently, many of these systems do not contain passwords, and the ones that do are default passwords that are easily guessed.
The FDA Response
Security industry experts say that the best way to prevent device hacking is to remove the hardcoded default accounts and require device firmware to be digitally signed. These are part of the recommendations the FDA made in a recently released guidance document. The document is designed to inform device manufacturers on the FDA’s current thinking with respect to cybersecurity. The FDA currently recommends that manufacturers develop cybersecurity quality controls to assure medical device security and safety. These controls should limit access to devices to trusted users only and provide for means for a manufacturer to detect a hack attack. The FDA further recommends that manufacturers submit in their premarket applications a section dedicated to the implementation of quality systems to prevent device hacking. Since these are “nonbinding recommendations” only, they do not carry any force of law and cannot be enforced. However, in the future the FDA may adopt these guidance recommendations as actual regulations. Although that will provide an extra burden to device manufacturers, it will provide an extra layer of protection to consumers.
Medical Device Hacking — A Future Issue
That being said, consumers should know that, there have been no recorded incidents of medical device hacks, at least any resulting in injury. The FDA records and tracks all “adverse events” occurring in medical devices in the Manufacturer and User Facility Device Experience or “MAUDE” database. No incidents of hacking have been listed in the MAUDE database to date. On the other hand, cybersecurity experts would counter that the MAUDE database has its shortcomings; it only details those events that device-users and doctors are aware of. Most hacking attacks, by their very nature, would likely go completely unnoticed.
While there have been no instances of “successful” device hacking yet, an anonymous DHS source recently said that “It isn’t out of the realm of the possibility to cause severe injury or death,” by hacking a medical device. Obviously, medical device hacking is an issue the FDA and legislators should monitor more carefully–and act upon sooner rather than later.