A little birdie told me about a couple articles that are drawing attention to the possibility of medical device hacking.
The first article I share with you is from the ICS-CERT (Industrial Control Systems Cyber Emergency Response Team). They are advising that they have confirmed that approximately 300 medical devices from over 40 vendors have hard-coded passwords that hackers can access to reprogram settings on the devices, or change the parameters of operations on things like pacemakers and insulin pumps. These risks have been known for a while, but now, the federal government is looking into compelling the device manufacturers to beef up their devices’ security features to prevent unwanted adjustments that could endanger lives. There are even a few conspiracy theories that these vulnerabilities leave “backdoors” for those who would seek to kill an opponent. A few dozen extra units of insulin or a badly timed internal defibrillation would certainly be an effective means to end a life.
Visit the ICS-CERT for this article, at http://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-164-01
Next, as of June 13th, the FDA has placed a notice out there and is also opening a 90-day window to solicit input and feedback on proposed rules to strengthen security requirements on medical devices. Check out these two articles:
FDA Safety Communication: Cybersecurity for Medical Devices and Hospital Networks – http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm
Content of Premarket Submissions for Management of Cybersecurity in Medical Devices – Draft Guidance for Industry and Food and Drug Administration Staff – http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm356186.htm
In case you are thinking this could only apply to devices that are implanted or placed upon a patient, think again. Our expensive cardiac monitors use these same types of access passwords to set the alarms and even limit the amount of energy delivered with a defibrillation. It would be devastating to us to have a device not alarm when it is supposed to, like during apneic periods, or desaturation, or even during a run of VTach.