Your BBB® just received an article from Wired magazine that has the scary headline, “Medical Devices Are the Next Security Nightmare,” and we would like to pass along the information to our readers. The short answer is yes, pacemakers, defibrillators, insulin pumps, and other electronic medical devices are vulnerable to hacking. Not only can hackers take control of a single device, but they can potentially control “networks associated with that device and all related devices at a hospital.”
Two recent events illustrate the potential for harm that can come from medical devices not being secure. On October 3, 2016, Johnson & Johnson sent a letter to patients using the company’s diabetic insulin pump stating, “We have been notified of a cybersecurity issue with the OneTouch® Ping®, specifically that a person could potentially gain unauthorized access to the pump through its unencrypted radio frequency communication system. We want you to know that Animas has investigated this issue and has worked with the appropriate regulatory authorities and security experts, as we are always evaluating ways to further ensure patient safety and security.”
The Federal Food and Drug Administration (FDA) issued a safety alert on January 9, 2017 about cybersecurity vulnerability of St. Jude Medical’s radio frequency (RF)-enabled implantable cardiac devices. FDA confirmed that “these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient’s physician, to remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.” That same day, St. Jude Medical issued security updates for its Merlin remote monitoring system that were designed to fix the security flaws, the FDA reviewed the software patch and found that it did fix the problem.
So what can be done about this problem? The FDA has started looking at device cybersecurity as a criterion for product approval. They can delay and even block medical devices from being placed on the market if they don’t meet the FDA’s cybersecurity standards. However, James Scott, a senior fellow at the non-partisan Institute for Critical Infrastructure Technology, stated “What the FDA offers to the medical device technology community is basically nothing more than a tap on the shoulder reminder. It’s really up to the industry to actually do something.”
So far there have been no reported instances of actual harm done to patients by someone hacking their medical devices; all the reports come from researchers working on making the devices more secure. But more research is needed, and patients can help by pressing Congress to enact laws that require manufacturers of medical devices to tighten security.
For more information you can trust, visit bbb.org/evansville.