Regulators and medical-device-makers are bracing for an expected barrage of hacking attacks even as legal and technical uncertainties leave them in uncharted territory.
Tens of millions of electronic health records have been compromised in recent years, a number that is growing and, some say, underreported.
High-profile attacks have hit hospitals and health insurers, and now attention is turning to a new vulnerability: medical devices like pacemakers and insulin pumps.
The Food and Drug Administration (FDA) has become increasingly concerned about the issue and is working to coordinate with other agencies on how to respond if a serious medical device hack were to occur.
“This is what we said to manufacturers; one should consider the environment a hostile environment, there are constant attempts at intrusion … and they have to be hardened,” said Suzanne Schwartz, associate director for science and strategic partnerships at the FDA’s Center for Devices and Radiological Health.
There have been rumblings over cybersecurity for years.
More than 113 million personal health records were compromised in 2015, according to provider data reported to the Department of Health and Human Services (DHS), nine times as many as in 2014.
Last fall, Johnson & Johnson had to tell its customers that its insulin pumps had a security vulnerability that hackers could use to access the device and cause a potentially fatal overdose of insulin. The pump, called the Animas OneTouch Ping, had a wireless controller that made it vulnerable. Wireless connection can be an easy access point for hackers.
A similar incident occurred in July 2015, when the FDA told hospitals not to use Hospira’s Symbiq infusion pumps because of a vulnerability that could allow the pump to be accessed through a hospital network, potentially allowing a hacker to change the dose.
The pump was no longer being sold by Hospira, but the FDA also discouraged providers from buying it from third parties.
In 2013, hacker Barnaby Jack claimed he had discovered how to take control of a pacemaker from up to 50 feet away and create a lethal shock using the device. He was set to reveal his method at the world’s largest hacker conference in Las Vegas but died the night before.
Notably, former Vice President Dick Cheney’s doctor had the wireless capability of Cheney’s pacemaker as a safety precaution.
So far, though, there have been no known cases of medical-device hacking causing patient harm, according to Zach Rothstein, associate vice president at the Advanced Medical Technology Association.
Healthcare’s hacking problem.
Hackers can tap into one weak point at a hospital — like an unsecured wireless printer — and access the entire system. Hackers can take over a hospital’s electronic records or lock them out of their website and only return control after a ransom is paid, often in Bitcoin.
Read More from the Source: FDA, industry fear wave of medical-device hacks | TheHill