A new study from the GAO calls for federal regulators to do more to protect wireless medical devices from security threats.
"It’s not like someone stealing your credit card and you’re out a couple hundred dollars. In this case … we’re talking about someone’s life," said computer security researcher Jay Radcliffe, shown with a radio device he used to wirelessly disable his own insulin pump.
Wireless technology is creating new possibilities for implantable medical devices, from monitoring heart rhythms from a world away to adjusting the amount of insulin a diabetic receives.
But according to a just-released U.S. Government Accountability Office report, such technology has also opened the doors to hackers.
As a result, the GAO is calling for the U.S. Food and Drug Administration to develop a plan enhancing its surveillance of medical devices. Part of that process will place a sharp eye on information security.
Just last August, researcher Jay Radcliffe stood on a Las Vegas stage and hacked into his own insulin pump, disabling its life-saving therapy. Radcliffe said the pump had "pretty much no security on it" -- a vulnerability it shares with pacemakers, implantable heart defibrillators and other medical devices.
His presentation at the annual Black Hat computer security conference highlighted a risk the medical device industry has downplayed, arguing that only someone with advanced skills could hack the devices.
On Thursday, Radcliffe lauded the GAO report, calling it "a really good start."
"I think this report will put pressure on the FDA to come up with a process for making fixes," Radcliffe said.
The FDA is responsible for regulating medical devices and ensuring their safety. When the FDA has looked at devices' vulnerability to threats, the agency has focused more on unintentional threats, such as MRI machines or electromagnetic energy in the environment, the GAO said.
But according to the GAO, regulators need to "consider information security risks resulting from intentional threats when reviewing manufacturers' submissions for new devices."
No known public incidents
There have been no known incidents of medical device hacking involving the general public, the GAO said. But computer-security researchers have found insulin pumps' wireless components to be vulnerable to manipulation.
"It's not like someone stealing your credit card and you're out a couple hundred dollars," Radcliffe said last year. "In this case, if there's one failure in the system, we're talking about someone's life."
Experts at Fridley-based Medtronic reviewed Radcliffe's research. On Thursday, Radcliffe said he has been working with Medtronic and other manufacturers for the past year on beefing up information security. He said Medtronic has made "great strides," including putting someone in charge of overseeing privacy and security for all of its products.
The key now, Radcliffe said, is how much clarity the FDA provides to manufacturers regarding making existing devices more secure. For example, will device makers have to pull devices from the market? Will they have to go through clinical trials all over again? Could this cost them years -- and a lot of money -- to address?
Four years ago, a study showed that implantable heart defibrillators could be hacked remotely. Researchers placed a device in a slab of bacon and ground beef to simulate the human body -- but a real attack could make the device useless.
Medtronic said in a statement Thursday that it appreciates the GAO report and is seeking solutions to better secure its devices.
"The company will continue to work with industry, regulators and researchers to anticipate and respond to potential risks and collaboratively address this industrywide issue," the statement said.
James Walsh • 612-673-7428