Advertisement
HEALTHLINE NEWS

How Vulnerable Are Personal Medical Devices to Hackers?

A new FDA warning reignites the debate over how much security should be installed on equipment such as pacemakers and fitness trackers.

personal medical device hacking

A medical equipment manufacturer recently updated its pacemakers and defibrillators.

It wasn’t to fix a flaw or upgrade some of the devices’ functions.

Advertisement
Advertisement

It was to protect them after the Food and Drug Administration (FDA) issued a warning that the devices may be vulnerable to hackers.

According to the FDA, the devices could send out shocks or incorrect signals if a hacker drained the battery. That could be deadly for the person who has one of the implanted devices.

The news comes as many Americans express concerns about Russian hackers potentially being involved in the 2016 presidential election.

Advertisement

But medical device vulnerabilities are nothing new.

This past fall, Johnson & Johnson officials told patients that their insulin pumps could be hacked.

Advertisement
Advertisement

In 2015, the FDA issued alerts to hospitals over Hospira/Pfizer drug pumps.

Read more: Hackers target medical information »

‘Potential threat is real’

What other devices are vulnerable to hackers and what can we do about it?

“Medical devices and consumer wearables are not currently built with security in mind,” Stu Bradley, vice president of cybersecurity at the analytics firm SAS, told Healthline.

Bradley said manufacturers often use cheap platforms to keep costs down and launch products more quickly. They often come with default user names and passwords, which can make them prone to manipulation.

Advertisement
Advertisement

“The potential threat is real,” Bradley said. “That said, I don’t believe most hackers would mount an attack for purposes of harm ... Hackers are primarily motivated by financial gain. That makes them much more apt to exploit a device’s security vulnerabilities to gain access to a network to which the device is connected, be that in a hospital or at someone’s home or workplace.”

Even so, the industry still needs to raise its security standards, Bradley said.

If manufacturers don’t rise to the occasion voluntarily, we may eventually see guidance replaced with actual regulation.
Stu Bradley, SAS Cybersecurity

He said the FDA has issued some guidance on the Internet of Things (IoT) bolstering medical devices against security threats.

Advertisement

“If manufacturers don’t rise to the occasion voluntarily, we may eventually see guidance replaced with actual regulation,” Bradley said.

He added that manufacturers are not likely to prioritize security without a push from consumers.

Advertisement
Advertisement

Last July, the FDA issued guidelines stating that it would not regulate wellness devices such as Fitbits.

John Nye, senior penetration tester at CynergisTek, told Healthline the FDA made this decision because of the low risk to patient safety. His consulting firm specializes in healthcare security.

Kevin Fu, Ph.D., who runs the Archimedes Research Center for Medical Device Security and the Security and Privacy Research (SPQR) group, said interest in medical cybersecurity has grown recently.

Advertisement

Fu, an associate professor at the University of Michigan, has testified before the FDA on health device security.

Even though he’s been disclosing details on security vulnerabilities since he was a student, Fu said he would still accept a prescribed medical device because the clinical benefits outweigh the risks.

Advertisement
Advertisement

“Medical device security is a solution, not a problem. Cybersecurity will give patients the confidence to trust in their lifesaving diagnostics and therapies,” Fu told Healthline.

Read more: Baby monitors can be hacked »

IoT security flawed

Fu has also talked about IoT devices, which can include wearable health trackers and other devices.

Early last year, a Fitbit attack was discovered. The cyberassault involved compromising accounts by changing user names and passwords.

When scammers have access to that data, they can sometimes infect computers with malware. In that case, hackers compromised the accounts to make false warranty claims and got replacements.

Security needs to be built into these devices — not just added on in the event of a breach, Fu said.

He noted that the Mayo Clinic reportedly spends $300,000 to assess the security of each device.

While it is not cost-effective to have individual hospitals testing devices, some sort of hub for testing could be created. Partnerships between industry, government, and academia could defray costs, he said.

Read more: Hackers steal data from Anthem customers »

Buyer beware

Fu noted that the National Vulnerability Database is being used to collect details about past and possible future breaches.

The National Institute of Standards and Technology and the National Science Foundation have a few initiatives to improve IoT security.

To protect yourself, make sure any device has a strong password. Also, keep connected systems such as computers up-to-date with virus protection and manufacturer updates.

“It is also a good idea to register the product with the manufacturer to keep informed of any changes, news, or alerts,” Nye said.

When a device has the ability to send and receive signals wirelessly, it has a markedly higher risk of being vulnerable to attack.

“Ultimately, it boils down to a conflict that has been plaguing information security professionals for as long as information security has been a concern — convenience versus security,” Nye added.

Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement