FDA investigates 24 potentially lethal IoT medical devices
Wed 22 Oct 2014
In the wake of the U.S. Food and Drug Administration’s recommendations to manufacturers to strengthen security on medical devices, the U.S. Department of Homeland Security has launched an investigation into 24 cases of potential cybersecurity vulnerabilities in hospital equipment and ancillary medical devices, according to a new report from Reuters.
The technologies being investigated by the DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) include implantable heart devices by St Jude Medical Inc and Medtronic Inc, and an infusion pump by Hospira Inc, according to confidential sources.
In the case of one unidentified infusion pump – a device which regulates medication into a subject’s bloodstream – the vulnerability seems to have been identified by lone security researcher Billy Rios. Rios claims to have developed code capable of forcing multiple infusion pumps to fatally overdose patients, and later submitted his research to the Food and Drug Administration. Reuters reports that the two unconfirmed witnesses claim the manufacturer in question is Hospira.
Former Marine and Silicon Valley consultant Rios said: “This is [an] issue that is going to be extremely difficult to patch.” Hospira currently offer nearly 60 pumps and peripheral items, and company spokeswoman Tareta Adams commented that Hospira is working on improved security for the line.
The FDA is charged with regulating medical devices, and is following up its recent recommendations to manufacturers with a public conference on the matter this week. William Maisel, chief scientist at the FDA’s Center for Devices and Radiological Health said: “The conventional wisdom in the past was that products only had to be protected from unintentional threats. Now they also have to be protected from intentional threats too.”
A DHS official revealed that investigations into medical device cybersecurity began two years ago, as the agency began to note an increase in the use of wireless technology, CPUs, net connectivity and software, creating a potential new attack vector in the field of security.
The investigation currently under way is not expecting to uncover either hostile intent or negligence on the part of device manufacturers, but rather to correct possible vulnerabilities which have emerged in what is becoming an entirely new field of study in security and the Internet of Things (IoT). The scenario has evolved naturally, and perhaps the two biggest inspirations towards addressing it now have been the 2007 incident where U.S. Vice President Dick Cheney ordered that wireless features be disabled on his defibrillator, and the fact that the popular U.S. TV thriller Homeland took inspiration from Cheney and actually depicted the murder of a vice-president via a hacking attack on his pacemaker.