The Unwired Medic

Teaching EMS providers & other public safety pros about using mobile tech to improve their practice, patient care, continuing education, scene safety, general entertainment, & productivity.

Medical Devices At Risk For Hacking

| 1 Comment

A little birdie told me about a couple articles that are drawing attention to the possibility of medical device hacking.

unlock

Image credit: twasa – http://www.sxc.hu/profile/twasa – Image retrieved from http://www.sxc.hu/photo/223063 on 24 June 2013

The first article I share with you is from the ICS-CERT (Industrial Control Systems Cyber Emergency Response Team).  They are advising that they have confirmed that approximately 300 medical devices from over 40 vendors have hard-coded passwords that hackers can access to reprogram settings on the devices, or change the parameters of operations on things like pacemakers and insulin pumps.  These risks have been known for a while, but now, the federal government is looking into compelling the device manufacturers to beef up their devices’ security features to prevent unwanted adjustments that could endanger lives.  There are even a few conspiracy theories that these vulnerabilities leave “backdoors” for those who would seek to kill an opponent.  A few dozen extra units of insulin or a badly timed internal defibrillation would certainly be an effective means to end a life.

Visit the ICS-CERT for this article, at http://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-164-01

Next, as of June 13th, the FDA has placed a notice out there and is also opening a 90-day window to solicit input and feedback on proposed rules to strengthen security requirements on medical devices.  Check out these two articles:

FDA Safety Communication: Cybersecurity for Medical Devices and Hospital Networks – http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm

and

Content of Premarket Submissions for Management of Cybersecurity in Medical Devices – Draft Guidance for Industry and Food and Drug Administration Staff – http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm356186.htm

 

In case you are thinking this could only apply to devices that are implanted or placed upon a patient, think again.  Our expensive cardiac monitors use these same types of access passwords to set the alarms and even limit the amount of energy delivered with a defibrillation.  It would be devastating to us to have a device not alarm when it is supposed to, like during apneic periods, or desaturation, or even during a run of VTach.

One Comment

  1. This has been known for at least a couple of years now. A few years ago, a computer scientist hacked into his own insulin monitor and was able to reset his dosage. A big part of the problem is that there is zero security on the wireless on these devices.

    I discussed this with a friend of mine who does computer security and proposed the following scenario. Someone decides to kill a politician who has a pacemaker/defib implanted. He uses a high power WiFi set up with a directional antenna to cause the device to malfunction. I thought it was kind of far fetched, buy my friend assured me that the hardware and software existed to do it. He said it’s just a matter of time before someone puts it all together.

Leave a Reply

Required fields are marked *.