Device Hacking May Have Become a Homeland Security IssueDevice Hacking May Have Become a Homeland Security Issue
October 23, 2014
The U.S. Department of Homeland Security is apparently taking a greater interest in medical device cybersecurity, if a report from Reuters is to be believed.
Reuters recently cited a "senior official at the agency" saying Homeland Security's Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, is investigating about two dozen cases of suspected medtech cybersecurity flaws. There have been no reported hacking instances, but Homeland Security officials consider the threat great enough to be working with companies to fix security vulnerabilities.
The devices involved including implantable heart devices from Medtronic and St. Jude Medical and an infusion pump from Hospira, "other people familiar with the cases" told Reuters.
In responding to a Qmed inquiry about the Reuters report, a St. Jude Medical spokesperson did not say whether their was a Homeland Security investigation per se, but did say the Little Canada, MN-based company works with indusry groups and regulators, including Homeland Security, to "monitor, analyze and influence global developments and trends in cybersecurity issues."
"St. Jude Medical has an ongoing program to perform extensive security testing on our medical devices and networked equipment. If a risk is identified, we will issue patches for any known issues. We've also incorporated the FDA draft guidance for cybersecurity into our product development process," said St. Jude Medical spokesperson Micki Sievwright.
Medtronic and Hospira spokespeople did not immediately respond to requests for comment.
Reuters earlier this year cited a private notice from the FBI alleging that "[th]e healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely."
The FBI has reportedly warned healthcare providers about the problem, with the data valuable to hackers on the black market because it includes details that could be used to break into bank accounts or obtain prescription drugs.
Medtronic already disclosed in its most recent annual report that it was victimized by hackers infiltrating the company's computers--and that two other medical device companies faced similar hacking incidents. (Medtronic said the hackers did not reach databases where patient data is stored.)
Such hacking could take on a much more sinister form than the shenanigans of seedy figures looking to steal some money or illegally score some drugs.
In the second season of Showtime's TV series Homeland, a fictional vice president is assassinated after his pacemaker is remotely hacked. Former Vice President Dick Cheney acknowledged in late 2013 that he considered such a threat credible enough that he had the wireless capabilities on his implanted defibrillator turned off for security purposes.
The late hacker Barnaby Jack meanwhile experimented with insulin pumps and claimed that he had discovered a way to hijack the device from up to 300 feet away, triggering potentially lethal insulin doses.
Shelby Kobes, an MPMN contributor who is now a senior consultant for PwC, wrote earlier this year that it could be difficult to even prove in court that a hacking took place. He said that, "issues that arise in developing a chain of custody for this type of data could allow for hackers to use legal loopholes to disallow evidence."
"Devices could be compromised, without any reliable proof of who did it," Kobes said.
Chris Newmarker is senior editor of Qmed and MPMN. Follow him on Twitter at @newmarker.
Like what you're reading? Subscribe to our daily e-newsletter.
About the Author
You May Also Like