News Feature | October 24, 2014

Department Of Homeland Security Investigates Medical Device Cybersecurity Flaws

By Chuck Seegert, Ph.D.

Retail Breaches

The Department of Homeland Security (DHS) is currently investigating dozens of cybersecurity cases related to medical devices and their potential for exploitation. The focus is on finding and rectifying vulnerabilities.

As medical devices have continued to increase in complexity, hardware and software control systems have become more prevalent. While the networks and information technology systems these devices interface with have increased in sophistication and resistance to attacks, some feel that medical devices have lagged behind, leaving them vulnerable.

"The conventional wisdom in the past was that products only had to be protected from unintentional threats,” said William Maisel, chief scientist at the FDA's Center for Devices and Radiological Health, in a recent article from Reuters. “Now they also have to be protected from intentional threats too."

In an effort to defend against these possible threats, the DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) is investigating a number of devices — like infusion pumps from Hospira Inc. and implantable cardiac defibrillators from Medtronic. Each has been subject to successful hacking and efforts that could be used to perpetrate a cyber-attack.

Infusion pumps deliver medication directly into a patient’s blood stream. Recently, a private IT security contractor, Billy Rios, identified weaknesses in Hospira’s pump design that allowed him to write a program that could remotely force these pumps to inject potentially lethal levels of drugs. Rios delivered his program to DHS to alert them of the risk.

"This is an issue that is going to be extremely difficult to patch," said Rios, a former Marine platoon commander who has worked for several Silicon Valley technology firms and recently founded security startup Laconicly, in the Reuters story.

Hospira responded to inquiries with a statement meant to reassure that the company was working on these issues.

"Hospira has implemented software adjustments, distributed customer communications and made a commitment to evaluate other changes going forward, while ensuring we are not adversely impacting the ability of our devices to meet hospital and patient needs, and maintain compliance with FDA product requirements," Tareta Adams, spokesperson for Hospira, said in a statement cited by Reuters.

As cyber-attacks become more likely, medical device manufacturers will need to shoulder the responsibility of protecting their devices from threats. To help deal with these issues, the FDA recently issued a guidance document related to cybersecurity risk.

It is also highly recommended that companies implement Responsible Disclosure policies in the event that a hacker reveals the susceptibility of a medical device, like in the Hospira infusion pump incident.