It was an eerie tale. Former US Vice President Dick Cheney announced last year that he disabled the wireless function of the implanted heart defibrillator amid fears it could be exploited by terrorists wanting to kill him.
Cheney's announcement put a face to the fear of possible medical-device hacking exploits, and researchers and the federal government were slowly realizing there were genuine vulnerabilities associated with these implanted devices. They are equipped with computerized functions and wireless capabilities that allow the devices to be administered without requiring additional surgery, and therefore they could be vulnerable to hacker exploit.
Cheney's move may have seemed far-fetched, but his paranoia is being confirmed, as the Department of Homeland Security is now probing potential cybersecurity flaws in certain medical devices."The Department of Homeland Security’s (DHS) Industrial Control Systems-Cyber Emergency Response Team (ICS-CERT) works directly with the Food and Drug Administration (FDA) and medical devices manufacturers, health care professionals, and facilities to investigate and address cyber vulnerabilities. DHS actively collaborates with public and private sector partners every day to identify and reduce adverse impacts on the nation’s critical cyber systems," DHS spokesman S.Y. Lee wrote Thursday to Ars.
Reuters said the authorities were eyeing a Hospira drug infusion pump and implantable heart devices made by Medtronic and Jude Medical. Lee declined to confirm any specific companies or devices. Hospira spokeswoman Tareta Adams offered a statement.
"Hospira has implemented software adjustments, distributed customer communications, and made a commitment to evaluate other changes going forward, while ensuring we are not adversely impacting the ability of our devices to meet hospital and patient needs and maintain compliance with FDA product requirements."
The two other companies did not immediately comment.
Without naming companies, the Industrial Control Systems-Cyber Emergency Response Team announced last year that a vast array of heart defibrillators, drug infusion pumps, and other medical devices contain backdoors that make them vulnerable to potentially life-threatening hacks. The devices, which also include ventilators, patient monitors, and surgical and anesthesia devices, contain hard-coded password vulnerabilities, according to an agency advisory.
The advisory said some 300 medical devices were affected from 40 vendors.
"The affected devices have hard-coded passwords that can be used to permit privileged access to devices such as passwords that would normally be used only by a service technician. In some devices, this access could allow critical settings or the device firmware to be modified," according to the advisory.
There are no known instances of these hacks being carried out in the wild. But the fear is that the devices could be controlled remotely, overdose patients, or send a heart-device implant into overdrive.
reader comments
47