BOSTON – The U.S. Department of Homeland Security is investigating about two dozen cases of suspected cybersecurity flaws in medical devices and hospital equipment that officials fear could be exploited by hackers, a senior official at the agency told Reuters.
The products under review by the agency’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, include an infusion pump from Hospira Inc and implantable heart devices from Medtronic Inc and St Jude Medical Inc, according to other people familiar with the cases, who asked not to be identified because the probes are confidential.
These people said they do not know of any instances of hackers attacking patients through these devices, so the cyber threat should not be overstated. Still, the agency is concerned that malicious actors may try to gain control of the devices remotely and create problems, such as instructing an infusion pump to overdose a patient with drugs, or forcing a heart implant to deliver a deadly jolt of electricity, the sources said.
The senior DHS official said the agency is working with manufacturers to identify and repair software coding bugs and other vulnerabilities that hackers can potentially use to expose confidential data or attack hospital equipment. He declined to name the companies.
“These are the things that shows like ‘Homeland’ are built from,” said the official, referring to the U.S. television spy drama in which the fictional vice president of the United States is killed by a cyber attack on his pacemaker.
“It isn’t out of the realm of the possible to cause severe injury or death,” said the official, who did not want to be identified due to the sensitive nature of his work.
Hospira, Medtronic and St Jude Medical declined to comment on the DHS investigations. All three companies said they take cybersecurity seriously and have made changes to improve product safety, but declined to give details.
CONNECTED DEVICES
ICS-CERT’s mandate is to help protect critical U.S. infrastructure from cyber threats, whether they are introduced through human error, virus infections, or through attacks by criminals or extremists.
According to the senior DHS official, the agency started examining healthcare equipment about two years ago, when cybersecurity researchers were becoming more interested in medical devices that increasingly contained computer chips, software, wireless technology and Internet connectivity, making them more susceptible to hacking.
The U.S. Food and Drug Administration, which regulates the sale of medical devices, recently released guidelines for manufacturers and healthcare providers to better secure medical devices and is holding its first public conference on the topic this week.
“The conventional wisdom in the past was that products only had to be protected from unintentional threats. Now they also have to be protected from intentional threats too,” said William Maisel, chief scientist at the FDA’s Center for Devices and Radiological Health. He declined to comment on the DHS reviews.
The senior DHS official said the two dozen cases currently under investigation cover a wide range of equipment, including medical imaging equipment and hospital networking systems. A DHS review does not imply the government thinks a company has done anything wrong – it means the agency is looking into a suspected vulnerability to try to help rectify it.
One of the cases involves an alleged vulnerability in a type of infusion pump, a piece of hospital equipment that delivers medication directly into a patient’s bloodstream. Private cybersecurity researcher Billy Rios said he discovered the alleged bug but declined to identify the manufacturer of the pump. Two people familiar with his research said the manufacturer was Hospira.
Rios said he wrote a program that could remotely force multiple pumps to dose patients with potentially lethal amounts of drugs. He submitted his analysis to the DHS.
“This is a issue that is going to be extremely difficult to patch,” said Rios, a former Marine platoon commander who has worked for several Silicon Valley technology firms and recently founded security startup Laconicly.
Reuters was not able to independently review his research or identify the type of pump Rios studied from Hospira’s line, which includes multiple models.
Hospira spokeswoman Tareta Adams, while declining to comment on specifics, said the company is working to improve the security of its products.
“Hospira has implemented software adjustments, distributed customer communications and made a commitment to evaluate other changes going forward, while ensuring we are not adversely impacting the ability of our devices to meet hospital and patient needs, and maintain compliance with FDA product requirements,” Adams said in the statement.