A cyber security expert warns that medical devices that are connected wirelessly to a centralized computer network, making it easier to monitor, may be vulnerable to attacks by hackers.
Billy Rios, of WhiteScope, a security consulting and assessment firm, explained to Dr. Max Gomez of television station CBS2, “It’s a medical device, but the way this thing runs it’s really just a computer.” The danger, Rios said, is that “someone else can control this thing remotely and do things to the pump, or do things to the device or equipment. You have to understand what you’re doing before you do this.”
Rios examined a number of popular hospital infusion pumps that deliver nutrients and medication and the results were disturbing. Someone could log into the device with no user name and no password. A hacker with an Internet connection could remotely operate the device or change its settings, endangering the patient. Such hacking could also be used against personal medical devices such as insulin pumps and heart pacemakers, Dr. Gomez reported. Because of this risk, former Vice President Dick Cheney had the wireless function disabled on his pacemaker.
Rios says device manufacturers have been slow to address such risks because they consider this largely a theoretical problem. He does not want “someone to have to die in order for them to become a data point in order for us to make a decision.”
The Food and Drug Administration (FDA) has issued an alert warning health care providers to discontinue use of some specific IV pumps. But because the pumps have no actual defect, the FDA did not require discontinuation of the pumps, according to the CBS report. This means that there is no guarantee that the person controlling these life-saving devices is actually a health care professional with the patient’s best interests at heart.
Financing also contributes to the problem. It would be expensive to enhance the security of older devices, CBS reports, and those funds are needed to provide more life-saving devices. Manufacturers sometimes offer a fix for an older device only if the hospital or facility purchase new models from them.