Remote Hacking and the Vulnerabilities of Today’s Medical Devices
By CHHS Extern Drew Ricci
With the recent emergence of wireless connectivity in medical devices, taking someone’s life could all too easily lay in the hands of predators nowhere near a patient’s bed-side. The majority of today’s medical devices that possess wireless connectivity have frightening security flaws that leave them susceptible to remote hacking. Moreover, many of the devices are vulnerable to third-party manipulation because they can be accessed without a password altogether, or by entering a default password such as “1234” or “admin.”
In a recent 2-year study conducted by Scott Erven of Essentia Health, Erven identified current medical devices vulnerable to remote hacking. Erven’s study revealed that implantable cardiac defibrillators (ICDs) could be easily hacked to deliver erratic shocks or to stop the ICD from delivering vital shocks that prevent a patient from going into cardiac arrest, drug infusion pumps could be remotely manipulated to alter the dosage of medication given to a patient, and CT scans could be manipulated to increase the exposure of radiation that a patient receives.
In response, the Food and Drug Administration (FDA) in October 2014, issued the “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices: Guidance for Industry and Food and Drug Administration Staff” that mandated manufacturers incorporate security features into their devices during the development and design of their products. However, devices currently being used by medical professionals are exempt from this mandate and are therefore still vulnerable to third-party manipulation.
Most recently, security researcher, Billy Rios, discovered that over 400,000 intravenous drug pumps currently being used in hospitals throughout the world were in danger of being hacked. Furthermore, Rios found that anyone on a hospital’s network, including patients or a hacker, could remotely control the pumps using the Internet to install malicious firmware. The installation of the firmware would allow a hacker to alter the dosage sizes and the pump’s display screen so it would appear as though the correct dosage was being administered via the device. In early June, after being informed of Rio’s discovery, the FDA issued an alert about the firmware vulnerabilities, but has yet to initiate any directive that would require the manufacturers to address the security risks in devices that are currently in use.
Unfortunately, unless the FDA mandates that the manufacturers address the security flaws in existing medical devices, the majority will remain vulnerable to malicious third-party manipulation until the devices are phased out over time. For this reason, it is imperative that the FDA obliges the device manufacturers to remedy the potentially life threatening security risks that already exist, while continuing their efforts to ensure cybersecurity for future products.