Is Your Pacemaker Secure?
Your BBB® just received an article from Wired magazine that has the scary headline, “Medical Devices Are the Next Security Nightmare,” and we would like to pass along the information to our readers. The short answer is yes, pacemakers, defibrillators, insulin pumps, and other electronic medical devices are vulnerable to hacking. Not only can hackers take control of a single device, but they can potentially control “networks associated with that device and all related devices at a hospital.”
Two recent events illustrate the potential for harm that can come from medical devices not being secure. On October 3, 2016, Johnson & Johnson sent a letter to patients using the company’s diabetic insulin pump stating, “We have been notified of a cybersecurity issue with the OneTouch® Ping®, specifically that a person could potentially gain unauthorized access to the pump through its unencrypted radio frequency communication system. We want you to know that Animas has investigated this issue and has worked with the appropriate regulatory authorities and security experts, as we are always evaluating ways to further ensure patient safety and security.”
The Federal Food and Drug Administration (FDA) issued a safety alert on January 9, 2017 about cybersecurity vulnerability of St. Jude Medical’s radio frequency (RF)-enabled implantable cardiac devices. FDA confirmed that “these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient’s physician, to remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.” That same day, St. Jude Medical issued security updates for its Merlin remote monitoring system that were designed to fix the security flaws, the FDA reviewed the software patch and found that it did fix the problem.