News Feature | February 11, 2014

Hacked: Medtronic, Boston Scientific, St. Jude Networks Suffer Cybersecurity Breaches

By Joel Lindsey

Reports have recently surfaced claiming that hackers may have broken into the computer networks of three of the world’s largest medical device makers.

According to the San Francisco Chronicle, the cyber attacks struck Medtronic, Boston Scientific, and St. Jude Medical sometime during the first half of 2013. The breaches may have lasted as long as several months.

While details of the alleged cyber attack remain vague, sources have stated that it was “very thorough,” and may have been carried out by hackers in China. What the hackers were looking for, or what, if anything, was stolen remains unclear. According to the Chronicle, however, federal law requires companies involved with medical information to disclose any breach involving patient information, and none of the companies have filed any such report. 

“Almost every large company is dealing with constant, persistent threats and network reconnaissance from hackers looking for holes and other ways into a company’s systems,” said Joshua Carlson, a data privacy attorney in Minnesota. “Those companies that are not ready or prepared, they can see decades and billions of dollars in [intellectual property] disappear in a few seconds.”

Both the sensitivity of patient-related healthcare records and the functionality of high-tech medical devices are of particular concern in cases like those involving Medtronic, Boston Scientific, and St. Jude Medical. Not surprisingly, cybersecurity has been a growing concern in the closely related fields of medical device manufacturing and healthcare over the past few years.

In 2011, Medtronic became embroiled in controversy when cybersecurity expert Jay Radcliffe remotely hacked into and disabled his own Medtronic-manufactured insulin pump, demonstrating the relative ease with which healthcare devices may be tampered with by computer hackers. Later, in June 2013, the FDA released an official report to all medical device manufacturers with recommendations for bolstering and monitoring cybersecurity measures.

More recently, St. Joseph Health System in Bryan, Texas reported that over a three-day period last December hackers gained access to personal information of 400,000 current and former patients.

Concerns over cybersecurity have also resurfaced in the wake of a January 2014 report that unearthed more than 20 vulnerabilities in the website.

“Cyberthreats and cyberattacks are only going to get more sophisticated and more impactful to those companies breached,” Carlson said. “The economics of it are fairly simple: There is great reward and only slight risk for state actors, or hackers in other countries, to steal or attempt to steal as much intellectual property as it can from U.S. companies that are often decades ahead in technology and research.”