The U.S. Food and Drug Administration (FDA) issued a safety alert on Thursday recommending that medical device manufacturers and health care facilities take steps to secure implantable medical devices and hospital equipment against cyberattacks, which could threaten patient lives and safety.
Cybersecurity experts largely focus on the vulnerability of hospital equipment such as CT scanners and heart monitors, whose functions can be disrupted by viruses and malware that travel over hospital networks, the Wall Street Journal reports. But device experts warn that individual implantable devices – defibrillators, pacemakers, and insulin pumps – are also vulnerable. Because “medical devices are increasingly interconnected, via the Internet, hospital networks, other medical devices, and smartphones,” the FDA alert explains, “there is an increased risk of cybersecurity breaches, which could affect how a medical device operates.
Kevin Fu, a researcher who is now at the University of Michigan, has conducted experiments showing the vulnerability of implantable devices, the Wall Street Journal reports. In 2008 he demonstrated that a Medtronic defibrillator could be turned off remotely and later induced another defibrillator to deliver an unneeded shock. A researcher for McAfee Inc. remotely caused an insulin pump to deliver an overdose.
In a statement, Medtronic, Inc. said the company believes “the risk to an individual customer is low and the benefits of the therapy outweigh these risks,” the Wall Street Journal reports. Security consultants familiar with Medtronic’s efforts say Medtronic has been working on cybersecurity features for more than a decade but has kept such efforts low profile to avoid alarming patients.
While the FDA said it is not aware of any “specific devices or systems that have been purposely targeted,” the agency is urging all device manufacturers to “review their cybersecurity practices and policies to assure that appropriate safeguards are in place to prevent unauthorized access or modification to their medical devices or compromise of the security of the hospital network that may be connected to the device.”