Homeland Security Investigating Medical Device Cybersecurity
October 23, 2014 in News
The Department of Homeland Security is investigating about two dozen medical devices and hospital equipment that could be vulnerable to cyberattacks, according to a senior official at the agency who asked to remain anonymous, Reuters reports.
Cybersecurity experts say concerns related to wireless medical devices are not new. In 2007, then-U.S. Vice President Dick Cheney had some of the wireless features on his defibrillator disabled due to security concerns.
Cybersecurity experts say medical devices could include vulnerabilities that would allow hackers to temporarily take control of the device. For example, experts say a hacker potentially could:
- Control an infusion pump to overdose a patient; or
- Make a heart implant deliver a fatal jolt of electricity (Finkle, Reuters, 10/22).
Earlier, this month FDA released final guidance to help medical device manufacturers consider cybersecurity concerns when developing, designing and submitting devices for approval (iHealthBeat, 10/2).
According the DHS officials, the agency began looking at health care equipment two years ago. The current investigations are being conducted by DHS’ Industrial Control Systems Cyber Emergency Response Team, which aims to protect critical U.S. infrastructure from cyber threats.
According to sources familiar with the cases, the medical devices under review include:
- Hospira’s drug infusion pump;
- Medtronic’s implantable heart device; and
- St. Jude Medical’s implantable heart device.
All three companies declined to comment on DHS’ investigations but said they take the security of their devices seriously.
DHS officials also said the agency is reviewing medical imaging equipment and hospital networking systems.
According to Reuters, a DHS review does not suggest any wrongdoing on the company’s part, but rather that the agency is examining a potential vulnerability to try to help address the issue.
The sources also clarified that they are not aware of any cases in which hackers have attacked patients through their devices (Reuters, 10/22).
Wanda Moebius — spokesperson for the Advanced Medical Technology Association, a trade group for medical device manufacturers — also declined to comment on DHS’ investigations. In a statement, the group said, “The risk of a malicious cyberattack is extremely low,” compared with the benefits of the devices. However, the group said “manufacturers take seriously the need to continuously assess the security of these devices in a world where the risks, no matter how remote, evolve” (Conn, Modern Healthcare, 10/22).
However, Lessley Stoltenberg, CIO at the University of Texas MD Anderson Cancer Center, said she is “pretty concerned,” adding that in the future all medical devices will need to be tested to ensure they meet security standards before being connected to a hospital’s network (Reuters, 10/22).
Meanwhile, Michael McMillan, CEO of security consulting firm CynergisTek, said the industry needs an enforceable system through which medical devices can be tested for compliance with FDA standards regarding cybersecurity (Modern Healthcare, 10/22).