FDA, Industry Fear Surge of Medical-Device Hacks

Pacemakers and insulin pumps may be vulnerable

Regulators and medical device-makers are bracing for an expected barrage of hacking attacks, according to a report from The Hill. High-profile attacks have hit hospitals and health insurers in recent years, and now attention is turning to a new vulnerability: medical devices, such as pacemakers and insulin pumps.

The FDA is working to coordinate with other agencies on how to respond if a serious medical-device hack were to occur, according to the article.

“This is what we said to manufacturers: one should consider the environment a hostile environment; there are constant attempts at intrusion ... and they have to be hardened,” Suzanne Schwartz of the FDA’s Center for Devices and Radiological Health told The Hill.

In 2015, more than 113 million personal health records were compromised––nine times as many as in 2014––according to provider data reported to the Department of Health and Human Services.

Last fall, Johnson & Johnson had to tell its customers that its Animas OneTouch Ping insulin pumps had a security vulnerability that hackers could use to access the device and cause a potentially fatal overdose of insulin. A similar incident occurred in July 2015, when the FDA told hospitals not to use Hospira’s Symbiq infusion pumps because of a vulnerability that could allow the pump to be accessed through a hospital network, potentially allowing a hacker to change the dose.

So far, there have been no known cases of medical-device hacking causing patient harm, the Hill article notes.

Hackers can tap into a weak point at a hospital—such as an unsecured wireless printer—and access the entire system. Hackers can then take over a hospital’s electronic records or lock the facility out of its own website, returning control only after a ransom has been paid.

Further, hackers can change medical record information on allergies, diagnoses, or doses of prescribed drugs. Aside from the obvious human cost, an incident such as that could have serious financial consequences for a hospital.

Information-sharing is considered the major bulwark against hacking attempts, according to the article. The health care community has an information-sharing group, where providers, manufacturers, and others update their defenses against common threats, including hacking. Within this community, medical device-makers have their own subcommunity. Congress and the industry are both promoting health care information-sharing, hoping to bring it up to par with that of other industries, such as the financial sector, which is known for its cyber readiness, the article says.

Hospitals are backing up their files and are increasingly adding cybersecurity protections into their contractual agreements.

Source: The Hill; April 11, 2017.