Health devices vulnerable to cyberattacks

Pacemakers, insulin pumps and many other medical devices have become potential targets for cybercriminals who could tamper with the equipment's operation or intercept personal information.

With the rapid proliferation of wireless connectivity and even smartphone apps, medical technology is increasingly exposed to hackers and malware in ways that could put millions of Americans' health and finances at risk.

The threats posed by targeted attacks and inadvertent malware infections are attracting the attention of federal regulators, who last week called on a wide range of players in the health care industry to band together to talk about solutions.

The issue is even on the radar of the Department of Homeland Security, after President Obama declared public health — including medical devices — part of the nation's "critical infrastructure."

"If our health care system would fail, a lot of people, a lot of sick people, would die," said Mike Ahmadi, global director of medical security with contractor Codenomicon.

Concern about the issue has been building for some time. The Government Accountability Office reported on the digital weaknesses of medical devices two years ago in a study that found the FDA does not evaluate new medical devices for their vulnerabilities to intentional attacks.

Three months later, the issue got fresh attention when the Showtime thriller "Homeland" depicted a fictional political assassination by hackers who infiltrated the vice president's pacemaker and induced a heart attack. Former Vice President Dick Cheney later called that scenario "credible" based on his own experience with a pacemaker.

Next month the Food and Drug Administration is teaming with the Department of Homeland Security and the Health and Human Services Department to host a public workshop to galvanize attention around the cybersecurity threats facing medical devices and underlying computer systems.

A number of industry interest groups have sprung up in Washington to examine the issue, including a K Street organization called the Medical Device Privacy Consortium whose members include device makers with big operations in Minnesota: Medtronic, Boston Scientific and St. Jude.

The consortium is working to develop voluntary best practices for the industry, as the FDA called for in draft rules it proposed last year.

"We take the security of devices very seriously," Micki Sievwright, spokeswoman for St. Jude Medical in Little Canada, said via e-mail. "Protection of confidential patient and consumer information is a high priority for us, and we will remain vigilant to the ever-increasing sophistication of those seeking unlawful access to such data."

The proposed rules the FDA published last year for how device makers should address cybersecurity threats may be finalized before the Oct. 21-22 medical device security meeting. In the meantime the FDA is building a new laboratory to test security vulnerabilities in health care equipment, and has asked hospitals and doctors to start voluntarily reporting security problems as adverse events.

"Medical devices, like other computer systems, can be vulnerable to security breaches, which could impact public health. This vulnerability increases as medical devices are increasingly 'connected' to the Internet, hospital networks, and to other medical devices," FDA spokeswoman Jennifer Rodriguez wrote in an e-mail.

Two key challenges will receive significant attention at the meeting next month: how to ensure the user accessing a medical device is legitimate, and how to protect data to minimize the harm from breaches.

The typical technological solutions to those problems — passwords and data encryption, respectively — don't work for medical devices. That's because much of the existing equipment is too old, and it has to allow doctors quick access in emergency situations, said Jay Radcliffe, a researcher at cybersecurity firm Rapid7 who grabbed national headlines when he hacked his Medtroinc insulin pump at a cybersecurity conference in 2011.

The FDA says the path forward is through collaboration and shared responsibility among all industry stakeholders, but progress on that front has been not been swift.

One of the key goals of the workshop is to kick-start collaboration and overcome "barriers (perceived and real) to create a community of 'shared ownership and shared responsibility'" among the various stakeholders, a posting last week in the Federal Register said.

"Complaints or adverse events relating to security may not be recognized as security issues, thereby depriving industry of valuable data," a report this month from the consortium says. "This creates difficulties for a single engineer, let alone an entire business or industry, to make informed, accurate and consistent probability determinations" about the cybersecurity threat facing medical devices.

Administrators of hospitals, however, told researchers at the Deloitte Center for Health Solutions recently that they think hospitals already reach out to device makers about cybersecurity issues. They would prefer device companies get more proactive in reaching out to them.

Nearly all hospital officials in the survey "believe that medical device manufacturers need to improve ongoing cybersecurity and private support and maintenance for networked medical devices," the Deloitte report concluded.

Russell Jones, the Deloitte partner who did the primary research on the report, said providers want a secure way to communicate with device makers without fear that information will lead to liability or public-relations problems for the hospitals.

"There are a lot of questions and problems that need to be solved, on both sides," he said. "It's not just something that manufacturers can solve themselves."