Millions of Americans Use Medical Devices That May Be Vulnerable to Hacking

Listen to the story:
http://www.kqed.org/.stream/anon/radio/science/2015/08/20150803ScienceMedicaldeviceshacking.mp3
You have passwords for your smart phone and laptop, but what about your pacemaker or insulin pump?

Last Friday, the federal Food and Drug Administration recommended that all hospitals in California and across the country stop using a medical device that it says is vulnerable to cyber attacks.

The device is an infusion pump that delivers medications or nutrients to patients. A hacker who accessed it could change the drug dosage to give a patient not enough -- or a lethal amount.

California security expert Billy Rios says he identified the problem more than a year ago and notified the FDA and the Department of Homeland Security.

"Some of these pumps are really dangerous," says Rios, who founded digital security company Laconicly. "If we ever gain access to a hospital network and we know of a vulnerability affecting a particular device, what that really means is we can go from one location and touch one hundred different devices all at once."

These pumps are not the only medical devices vulnerable to hacking. More than 10 million Americans rely on devices like pacemakers and defibrillators.

(Cyber security expert Billy Rios remotely hacks into Hospira’s Symbiq infusion pump, which the FDA has encouraged all medical centers to stop using .)

If you are a fan of the Showtime television series Homeland, you may remember an episode where assassins killed the vice president by hacking into his pacemaker and disabling it.

This episode wasn’t just Hollywood making up stuff. Former Vice President Dick Cheney was so afraid of a cyber attack on his own pacemaker that he had the wireless feature on it disabled.

As technology has become more connected, so have medical devices. While some, like pacemakers, can only send information, others, can send and receive data.

And that leaves some patients vulnerable to a hacker trying to harm them or use their device as a portal to access medical data.

"All the tools that are required to do software debugging, to get software off of chips and basically to do hardware hacking," Rios says, "it’s become available to just any person."

As a benign or “white hat” hacker, Rios does research in his Half Moon Bay garage to help the Department of Homeland Security.

He proved he could remotely administer a lethal dose of drugs through a patient’s insulin pump. He has also hacked pre-programmed passwords from hundreds of devices. He and his colleague were able to figure out the passwords after acquiring embedded software and technical manuals from several vendors.

"We knew what those 300 passwords were," Rios says. "We could go to any device we wanted to and we had a set of usernames and passwords that would work against all these devices, and so that was pretty alarming."

The Food and Drug Administration, which regulates the sale of medical devices, has been issuing formal guidelines on the issue.

Suzanne Schwartz is the FDA’s Director of Emergency Preparedness. Last year, she helped publish new recommendations for how medical device makers should take cyber-security attacks into account.

"That is something, yes, that we continuously monitor and it’s something important that we want to hear about," Schwartz says, "whether it’s directly from the healthcare organizations or from the medical device manufacturers."

But Consumer Watchdog president Jamie Court says the FDA’s guidelines for medical devices fall short. He says what's needed is a law -- not recommendations -- requiring medical manufacturers and hospitals to upgrade systems to prevent cyber attacks.

"The reality is if they don’t someone is going to die," Court says. "Because it’s not safe. Someone will find a reason to change a counter on an insulin pump or take over a defibrillator just because they can."

Without legally binding rules, medical device security is left in the hands of hospitals and device makers. And they are required to report device malfunctions only if patients are injured or they die.

Medtronic, the nation's largest medical device manufacturer, has not reported any incidents so far.

The company declined to be interviewed and sent KQED a statement saying it aims to manufacture products that are as safe and secure as possible.

But Mayo Clinic cyber security expert Kevin McDonald says, while they haven't been catastrophic, some incidents have already occurred.

"Back in 2010," he says, "there was a heart catheterization lab out on the East Coast, that, because of some malware viruses, was put out of business for about three days. So they had to divert their patients to other places."

McDonald leads a team that’s trying to prevent harmful medical incidents.

"My biggest fear," he says, "is that somebody will take out a large number of devices across an institution."

To increase patient safety, the Mayo Clinic brought in researchers to analyze some of the devices it uses. It then reported vulnerabilities to the manufacturers.

But cyber security expert Rios says no matter what precautions one takes, medical devices are imperfect and will always need monitoring.

"At the end of the day, at the core of it, it's really just a computer," he says. "It's a processor and it's software that someone wrote. And so we can't treat those devices as if they're magical devices; they're not magical devices."

While last year the FDA issued guidelines for the manufacture of these devices, this year the agency is expected to release additional guidelines for how companies should update the devices’ software after they’re on the market.