A heart defibrillator remotely controlled by a villainous hacker to trigger a fatal heart attack? It may only happen in the movies, but the Government Accountability Office (GAO) doesn’t want to take any chances.
In a recent report from the GAO, the non-partisan agency, which investigates issues for Congress, says the threat that hackers could manipulate heart defibrillators and other remotely controlled medical devices to fatal ends is real enough for the U.S. Food and Drug Administration (FDA) to take action.
Often referred to as the “congressional watchdog,” the GAO says implantable devices such as defibrillators that jolt failing hearts back into rhythm, pacemakers that resync irregular heart beats, or insulin pumps that maintain proper insulin levels for diabetics, are at risk for hacking. In the report, the GAO reviewed research published by information security specialists and studies in peer-reviewed journals and determined that these devices are indeed vulnerable to sabotage. Not only can the normal function of the devices be tampered with, but important, and private, health information collected by the devices is routinely uploaded to patients’ health records. While no cases of hacking have yet been reported among users, some well-publicized cases of security specialists recently showed that it was possible, and alarmingly easy, to hack insulin pumps. That prompted the Congress to look into the security issues.
The GAO is requesting the FDA, which regulates the safety and effectiveness of medical devices and is also responsible for approving medical devices, to develop a plan to address the security risks. The report says the FDA considered risks from unintentional threats, such as ordinary magnets and airport security scanners, but not intentional ones during pre-market approval for devices.
“Even the human body is vulnerable to attack from computer hackers,” said California representative Anna Eshoo, one of three Congress members to request the report, in a statement. “Implantable medical devices have resulted in tremendous medical benefits for the patients who use them, but the demonstrated security risks require a renewed emphasis by the FDA and manufacturers to identify, evaluate and plug the potentially rare but serious security holes that exist in these devices.”
As NBC news reports, doctors use wireless communication systems to download diagnostic and function status information from their patients’ medical devices and make changes to the devices virtually. The GAO says that while the FDA as an adverse event reporting system in place, it doesn’t necessarily address the issue of information security problems. “Because information security in active implantable medical devices is a relatively new issue, those reporting might not understand the relevance of information security risks,” the authors write.
The site also acknowledges that the added security measures the GAO is calling for won’t be easy to implement:
Enhancing security of a vital medical device isn’t as simple as it sounds. The primary purpose of any medical device is to preserve health, not keep out bad guys. Installing security software could put more demand on battery life, for example. And suppose a patient has a defibrillator, his doctor’s office is closed, and he feels chest pains? He could go to an emergency room, but, panicky, could easily forget the password. The ER doctors then could not get access to whatever the device has to tell them.
In its report, the GAO offers several actions the FDA could adopt to create a more comprehensive security review process, including putting a greater burden on manufacturers to identify and address potential security risks during the pre-market approval process as well as establishing a separate entity responsible for assessing the safety of wireless devices from potential hacking.
“FDA shares the concern over the security and privacy of medical devices, and emphasizes security as a key element in device design,” the agency wrote in response to the report in a statement. “Any system with wireless communication can be subject to interception of data and compromised privacy as well as interference with performance that can compromise the safety and effectiveness of the device.”
Medical device manufacturers are becoming increasingly aware of security risks, but computer-security researcher Jay Radcliffe who found security risks in his own insulin pump, told Bloomberg Businessweek he understands their time and money obstacles. “I can very much sympathize with the manufacturers’ concerns,” Radcliffe told Bloomberg. “When you’re dealing with this much vagueness, and you’re dealing with a security vulnerability where the risk is really, really low, you go to the FDA and say you want to change this device and it could be $500,000 and four years of time. In some cases, smaller manufacturers could go out of business.”
Still, the potential for breaches in privacy, not to mention serious health consequences, including death, that could arise from vulnerable wireless medical devices, is starting to alarm more government groups. Wired reports that the National Information Security and Privacy Advisory Board to pen a letter to the Office of Management and Budget requesting reforms in the oversight of device approvals.