A new FDA warning reignites the debate over how much security should be installed on equipment such as pacemakers and fitness trackers.
A medical equipment manufacturer recently updated its pacemakers and defibrillators.
It wasn’t to fix a flaw or upgrade some of the devices’ functions.
It was to protect them after the Food and Drug Administration (FDA) issued a
According to the FDA, the devices could send out shocks or incorrect signals if a hacker drained the battery. That could be deadly for the person who has one of the implanted devices.
The news comes as many Americans express concerns about Russian hackers potentially being involved in the 2016 presidential election.
But medical device vulnerabilities are nothing new.
This past fall, Johnson & Johnson officials told patients that their insulin pumps could be hacked.
In 2015, the FDA issued
What other devices are vulnerable to hackers and what can we do about it?
“Medical devices and consumer wearables are not currently built with security in mind,” Stu Bradley, vice president of cybersecurity at the analytics firm SAS, told Healthline.
Bradley said manufacturers often use cheap platforms to keep costs down and launch products more quickly. They often come with default user names and passwords, which can make them prone to manipulation.
“The potential threat is real,” Bradley said. “That said, I don’t believe most hackers would mount an attack for purposes of harm … Hackers are primarily motivated by financial gain. That makes them much more apt to exploit a device’s security vulnerabilities to gain access to a network to which the device is connected, be that in a hospital or at someone’s home or workplace.”
Even so, the industry still needs to raise its security standards, Bradley said.
He said the FDA has issued some guidance on the Internet of Things (IoT) bolstering medical devices against security threats.
“If manufacturers don’t rise to the occasion voluntarily, we may eventually see guidance replaced with actual regulation,” Bradley said.
He added that manufacturers are not likely to prioritize security without a push from consumers.
Last July, the FDA issued
John Nye, senior penetration tester at CynergisTek, told Healthline the FDA made this decision because of the low risk to patient safety. His consulting firm specializes in healthcare security.
Kevin Fu, Ph.D., who runs the Archimedes Research Center for Medical Device Security and the Security and Privacy Research (SPQR) group, said interest in medical cybersecurity has grown recently.
Fu, an associate professor at the University of Michigan, has testified before the FDA on health device security.
Even though he’s been disclosing details on security vulnerabilities since he was a student, Fu said he would still accept a prescribed medical device because the clinical benefits outweigh the risks.
“Medical device security is a solution, not a problem. Cybersecurity will give patients the confidence to trust in their lifesaving diagnostics and therapies,” Fu told Healthline.
Fu has also talked about IoT devices, which can include wearable health trackers and other devices.
Early last year, a Fitbit attack was discovered. The cyberassault involved compromising accounts by changing user names and passwords.
When scammers have access to that data, they can sometimes infect computers with malware. In that case, hackers compromised the accounts to make false warranty claims and got replacements.
Security needs to be built into these devices — not just added on in the event of a breach, Fu said.
He noted that the Mayo Clinic reportedly spends $300,000 to assess the security of each device.
While it is not cost-effective to have individual hospitals testing devices, some sort of hub for testing could be created. Partnerships between industry, government, and academia could defray costs, he said.
Fu noted that the National Vulnerability Database is being used to collect details about past and possible future breaches.
The National Institute of Standards and Technology and the National Science Foundation have a few initiatives to improve IoT security.
To protect yourself, make sure any device has a strong password. Also, keep connected systems such as computers up-to-date with virus protection and manufacturer updates.
“It is also a good idea to register the product with the manufacturer to keep informed of any changes, news, or alerts,” Nye said.
When a device has the ability to send and receive signals wirelessly, it has a markedly higher risk of being vulnerable to attack.
“Ultimately, it boils down to a conflict that has been plaguing information security professionals for as long as information security has been a concern — convenience versus security,” Nye added.