When the FDA released recommendations to manufacturers to strengthen the cybersecurity of medical devices earlier this month, the agency quoted Dr. Suzanne Schwartz as saying, “There is no such thing as a threat-proof medical device.” Now, coinciding with the “Collaborative Approaches for Medical Device and Healthcare Cybersecurity” public workshop, Reuters revealed that DHS is investigating 24 cases of suspected cybersecurity flaws in medical devices and hospital equipment. “The two dozen cases currently under investigation cover a wide range of equipment, including medical imaging equipment and hospital networking systems.”
Although not all the companies were named, DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) is reviewing “an infusion pump from Hospira Inc. and implantable heart devices from Medtronic Inc. and St Jude Medical Inc.” Don’t freak out, though, as confidential sources added:
These people said they do not know of any instances of hackers attacking patients through these devices, so the cyber threat should not be overstated. Still, the agency is concerned that malicious actors may try to gain control of the devices remotely and create problems, such as instructing an infusion pump to overdose a patient with drugs, or forcing a heart implant to deliver a deadly jolt of electricity, the sources said.
"These are the things that shows like Homeland are built from," an unnamed senior DHS official told Reuters. "It isn't out of the realm of the possible to cause severe injury or death."
ICS-CERT “is working with manufacturers to identify and repair software coding bugs and other vulnerabilities that hackers can potentially use to expose confidential data or attack hospital equipment.”
Confidential sources said one of the cases involves an alleged vulnerability in an infusion pump manufactured by Hospira. The flaw was discovered by security researcher Billy Rios; after he “wrote a program that could remotely force multiple pumps to dose patients with potentially lethal amounts of drugs,” he “submitted his analysis to the DHS.” Hospira would not comment upon the specifics, but claimed it implemented software adjustments and is working to improve security.
The current probe is also partially based on research by Barnaby Jack (RIP); he showed how an attacker with a laptop, located up to 50 feet from a victim, could remotely hack a pacemaker and deliver an 830-volt shock.
Sources said DHS is looking into “suspected vulnerabilities in implantable heart devices from Medtronic and St. Jude Medical.” Medtronic told Reuters it has enhanced security of its implantable cardiac devices, but wouldn’t give specifics “in the interest of public safety.” St. Jude Medical claimed it conducts “extensive security testing,” but will issue patches for its medical devices and networked equipment if any flaws are identified.
Three years ago, security researcher Jay Radcliffe explained how a wireless attack could remotely control an insulin pump and potentially kill a victim. He later decided to stop using his Medtronic insulin pump because he didn’t feel safe wearing the device. Two years ago, the feds were pressed to protect wireless medical devices from hackers. This came after security researchers shined a public spotlight on implantable medical device insecurities and other researchers developed an anti-hacking jamming device that acted as a “shield” to stop attackers from launching lethal pacemaker attacks.
In the 2014 Internet Organized Crime Threat Assessment, Europol mentioned targeted attacks including “possible death” and referenced an IID cybersecurity prediction that claimed, “We will witness the first ever public case of murder via hacked Internet-connected devices by the end of 2014.”
Peachy and happy cybersecurity awareness month! Well let’s hope ICS-CERT helps medical device manufacturers plug holes and potentially save lives so that IID's predication does not come to pass this year or ever.