The FDA is warning that implanted medical devices, such as pacemakers and defibrillators, are often connected to networks that are vulnerable to cyber attacks that could shut down or manipulate the machinery.
Hackers with malicious intentions could introduce malware into the equipment, thereby gaining access to configure settings in medical devices or hospital networks, the Food and Drug Administration said in a warning sent to hospitals, medical device manufacturers, user facilities, and biomedical engineers.
“Over the past year, we’ve become increasingly aware of cyber security vulnerabilities in incidents that have been reported to us,” William Maisel, deputy director for science at the FDA’s Center for Devices and Radiological Health, told Reuters. “Hundreds of medical devices have been affected, involving dozens of manufacturers.”
Maisel noted that most of the infections were most likely unintentional, but that they demonstrate a very real possibility that hackers could intentionally inflict damage upon them.
The FDA report identified 300 medical devices that are at risk of crippling cyber attacks, including insulin pumps, implantable cardioverter defibrillators, anesthesia devices, drug infusion pumps, ventilators, and pacemakers. Some of these devices can even be remotely accessed through the Internet, the FDA report said.
“Somebody could take over the device and make it do whatever they want it to do and it would be almost impossible for hospital staff to know that it had been tampered with,” Billy Rios, a researcher at the cyber security firm Cylance Inc., told Reuters.
Jon Ogg, an analyst at 24/7 Wall Street, told AFP that the threat is very serious, even though it may seem like something that would occur in a science fiction movie.
“Can you imagine a device being retooled maliciously, like an inserted pacemaker/defibrillator?” he said. “Or imagine if a robotic surgery system was maliciously recalibrated in even a slight manner for surgeries. The list of threats is endless.”
The FDA said it was not aware of any patient deaths or injuries as a result of cyber attacks on medical devices, but that it is responsible for identifying the risks associated with at least 300 pieces of equipment.
“The FDA is recommending that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack,” the warning said.
Suspicions about the vulnerability of implanted medical devices have long existed, but the latest FDA report confirms the gravity of those fears. Last October, the Government Accountability Office published a report urging the FDA to investigate security flaws in medical devices. Earlier in 2012, Barnaby Jack, a researcher of McAfee security firm, succeeded in hacking into a medical device and altering the quantity of insulin that a pump delivers.
With default passwords that malicious hackers can obtain with relative ease, cyber attacks can be inflcted upon life sustaining devices that medical patients rely on.