Here’s a heart-stopping cyber-threat: Your pacemaker could get hacked.
The Food and Drug Administration this week published guidelines to help medical manufacturers prevent hackers from breaking into implantable devices that operate with the help of cloud-based networks.
Those include pacemakers, defibrillators and insulin pumps, whose manufacturers increasingly are loading them with software updates to improve performance and gather data.
In its report, the FDA didn’t shy away from painting a horror scenario, one in which a researcher notifies a manufacturer that its implantable device “can be reprogrammed by an unauthorized user.”
“If exploited, this vulnerability could result in permanent impairment, a life-threatening injury, or death,” according to the FDA.
The FDA’s fixes wouldn’t be helpful in the emergency room. The agency suggests, for example, that a manufacturer notify its customers within 30 days of learning of the vulnerability, and patch it within 60 days.
In October, Johnson & Johnson told patients that it had learned of a security vulnerability in one of its insulin pumps that a hacker could exploit to overdose diabetic patients with insulin.
While the medical giant described the risk as low, experts believe it was the first time a manufacturer had issued such a warning to patients about a cyber-vulnerability.
In August, short seller Muddy Waters and a cybersecurity research firm went public with allegations of potentially life-threatening cyber-vulnerabilities in heart devices from St. Jude Medical.
As its shares tumbled, St. Jude said the allegations were false, and the FDA began an investigation.
In 2015, FDA warned that the Hospira infusion pump, which slowly releases nutrients and medications into a patient’s body, could be accessed and controlled through the hospital’s network.
“In fact, hospital networks experience constant attempts of intrusion and attack, which can pose a threat to patient safety,” the FDA’s Suzanne Schwartz said in a blog post on the new guidelines. “And as hackers become more sophisticated, these cybersecurity risks will evolve.”
With Reuters