A cyber security expert has warned that many medical devices—both those used in hospitals and personal devices—are vulnerable to attacks by hackers.
Billy Rios, of the security consulting and assessment firm WhiteScope, explained to Dr. Max Gomez of television station CBS2, that when a device is connected wirelessly to a centralized computer network to make monitoring easier, the connection may also put the device at risk for hacking. “It’s a medical device, but the way this thing runs it’s really just a computer,” Rios said. The danger is that “someone else can control this thing remotely and do things to the pump, or do things to the device or equipment. You have to understand what you’re doing before you do this.”
Rios examined a number of popular hospital infusion pumps—devices that deliver nutrients and medications. The results were troubling. Someone could log into the device with no user name and no password. A hacker with an Internet connection could remotely operate the device or change its settings, endangering the patient. Personal medical devices such as insulin pumps and heart pacemakers could also be open to such tampering, Dr. Gomez reported. Former Vice President Dick Cheney had the wireless function disabled on his pacemaker because of this risk.
Rios says device manufacturers have been slow to address the hacking risk because they consider this largely a theoretical problem. Rios said he does not want “someone to have to die in order for them to become a data point in order for us to make a decision.”
The Food and Drug Administration (FDA) issued a recommendation to health care providers to discontinue use of some specific IV pumps that could be hacked. But because the pumps have no actual defect, the FDA did not require discontinuation of the pumps. Patients have no guarantee that the person controlling life-saving devices is actually a trained health care professional who will safeguard the patient’s interests.
Dr. Gomez says money also contributes to device vulnerability. It would be expensive for manufacturers to improve the security of older devices, and those funds are needed to provide devices to additional people. Some manufacturers will provide a fix for an older device only if the hospital or health care facility purchases new models from them.