Medical Devices Vulnerable to Hacking Need Oversight

Wireless medical devices are potentially vulnerable to being remotely controlled by hackers and should be tracked more closely, according to a Government Accountability Office report.

The investigation into electronic medical-device safety was initiated after computer-security researchers found dangerous vulnerabilities in insulin pumps. Diabetics rely on the pumps, which are worn next to the skin, to dispense insulin, a life- saving hormone.

“Even the human body is vulnerable to attack from computer hackers,” Representative Anna Eshoo, a Democrat from California, said in a statement on her website. “Implantable medical devices have resulted in tremendous medical benefits for the patients who use them, but the demonstrated security risks require a renewed emphasis by the FDA and manufacturers to identify, evaluate and plug the potentially rare but serious security holes that exist in these devices.”

Eshoo, along with Democratic Representatives Edward Markey and Donna Edwards, had asked last year for the GAO report, which called on the Food and Drug Administration to oversee better identification and investigation of security problems in electronic medical equipment such as insulin pumps, pacemakers and defibrillators.

Remote Control

Computer-security researcher Jay Radcliffe, a diabetic who found dangerous vulnerabilities in his own insulin pump, and another Barnaby Jack, who worked separately as a professional hacker for McAfee, both demonstrated ways to manipulate the wireless capabilities on devices made by Minneapolis-based Medtronic Inc. (MDT) to remotely take over the pumps and dispense fatal doses of insulin.

Congress members called for the GAO investigation following a report by the Associated Press on Radcliffe’s research, which he presented at a security conference in Las Vegas. More vulnerabilities were later uncovered by Jack, Bloomberg.com reported on its Tech Blog.

Earlier research bolstered their claims. A 2008 study from a consortium of academics found that a popular pacemaker- defibrillator could be reprogrammed to deliver deadly shocks.

A key issue is that the FDA has not evaluated risks from hacking attacks as part of its screening of new devices until recently, the GAO report said.

“The FDA’s focus has always been on the safety of medical devices, rather than the security of these devices,” Jack wrote in an e-mail. “They simply don’t have the expertise on staff to conduct a worthwhile security audit for every device that requires their approval.”

Security Risks

The FDA said breaches involving medical devices is not currently a widespread issue. The agency has taken steps to improve screening for security risks and agrees with the GAO that more efforts are necessary, it said in a statement today.

“FDA shares the concern over the security and privacy of medical devices, and emphasizes security as a key element in device design,” the agency said. “Any system with wireless communication can be subject to interception of data and compromised privacy as well as interference with performance that can compromise the safety and effectiveness of the device.”

Although medical-device manufacturers are becoming more aware of security risks affecting their products, they have been reluctant to spend the time and money fixing issues that in some cases have a low likelihood of happening outside of research labs, according to Radcliffe.

“I can very much sympathize with the manufacturers’ concerns,” Radcliffe said in an interview today. “When you’re dealing with this much vagueness, and you’re dealing with a security vulnerability where the risk is really, really low, you go to the FDA and say you want to change this device and it could be $500,000 and four years of time. In some cases, smaller manufacturers could go out of business.”

The recommendations, he said, should help create a shorter process “that all manufacturers can count on.”

To contact the reporter on this story: Jordan Robertson in San Francisco at jrobertson40@bloomberg.net

To contact the editor responsible for this story: Tom Giles at tgiles5@bloomberg.net

Bloomberg reserves the right to remove comments but is under no obligation to do so, or to explain individual moderation decisions.

Please enable JavaScript to view the comments powered by Disqus.