Medtech Hacking: The Newest Way to Scare TV Watchers

A recent episode of "CSI: Cyber" aired in which all of the networked medical devices in a hospital were hacked. It may be sensationalized, but the argument that many networked medical devices are relatively insecure is correct.

Brian Buntz

It seems the possibility of hacking medical devices is getting more attention in popular culture than it is getting from medical device OEMs. A couple of weeks ago, the subject was featured in an episode titled "Hack E.R." of the CBS show CSI: Cyber. The premise is that a hacker gains control of all of the networked medical devices and computers within a Dallas hospital and threatens to kill a patient every hour if the hacker's demands aren't met. "They had a scenario where a hacker said: 'if you don't pay me this, I am going to turn off your ventilators,'" recounts Bill Betten, director of business solutions, DeviceX (Eden Prairie, MN). "They hacked the vital signs alarms so the alarms didn't go off."

One patient died in the episode because a hacked infusion pump delivered a fatal drug dose. The plot device was perhaps inspired by FDA's warning earlier this year about the potential of a Hospira infusion pump to be hacked. In another scene, further chaos ensues when the polarity of an MRI's magnet is reversed. Along the way, one of the CSI investigators makes the comment that medical devices are less secure than smartphones.  

The plotline may have been sensationalized, but it does drive home the fact that security of medical devices is paramount, Betten says. "I would say be concerned, but not paranoid." (Betten will be featured at the upcoming BIOMEDevice San Jose show at the event's Center Stage pavilion.) "Medical device professionals should put contingencies in place. As engineering types, we should know that nothing is 100% and that hackers are always becoming more sophisticated."

While the threat of hacking medical devices may be real, it may not be as big of a problem as TV writers suggest in shows like CSI: Cyber or Homeland. "There are always things that can go wrong, but imagine the relative difficulty for hackers to identify and target people with, say, pacemakers," Betten says. "Let's say there are a few million people in the United States with pacemakers out of a total population of 320 million. Hackers could identify those with pacemakers, hack them, and threaten to shut the devices off if payment isn't received. On the other hand, it would be much simpler for an armed criminal to say: 'I have a gun and will shoot you unless you pay me.' Or how does the risk of hacking a pacemaker compare with the risk of hacking my back account. Where the hackers going to expend their effort? There could be a hacking value in targeting an ICD but I don't think there would be a lot of money in it."