Millions of Medical Devices Are Vulnerable to Hacking

First they came for our credit card numbers. Then they turned to our cars. Now, even medical devices are vulnerable to hacking. Pacemakers, insulin pumps and other medical devices are vulnerable to hacking -- so vulnerable that the FDA has called for medical facilities to abandon some vulnerable devices.

Not only are the hackable medical devices a risk to patients, they're also a potentially huge liability to medical companies -- and perhaps a boon to malpractice lawyers.

Your Body Is a Machine

There's a surprising number of wireless enabled medical devices, including neurostimulators, pacemakers, insulin pumps and foot drop implants. All of these devices can be vulnerable to hackers. The vulnerability isn't just theoretical, either. Last week, the FDA issued a safety communication calling on medical providers to stop using the Hospira Symbiq Infusion System, due to "cybersecurity vulnerabilities." The infusion pump delivers medications or nutrients to patients and could be hacked to alter the drug dosage amount -- even to deliver a fatal dose of medication.

The warning didn't come quickly, however. Cybersecurity expert Billy Rios claims that he identified the vulnerability and informed the FDA and Homeland Security of it over a year ago. According to KQED, Rios not only figured out how to administer a lethal dose of drugs, he hacked hundreds of pre-programmed passwords from the devices. More than 400 days since the vulnerability was revealed, no fix has been made.

FDA Acts, But Slowly

If the FDA is moving slowly to address the threats, it is at least aware of them. Last year, the FDA released new recommendations for improving cybersecurity in medical devices. However, there are no laws or binding regulations currently governing medical devices and cybersecurity. Hospitals and device makers are not required to follow the FDA's guidelines and they're only require to report malfunctions when a patient is injured or dies. That means vulnerabilities can often go unpublicized.

That may leave the process of enforcing proper care and caution to plaintiffs' lawyers, a slow and almost exclusively retrospective form of regulation. It might take a patient death for negligence to be rooted out, something that the Mayo Clinic's security expert Kevin McDonald worries about. "My biggest fear," he told KQED, "is that somebody will take out a large number of devices across an institution."

There are over ten million Americans who rely on medical devices that could be hacked. At least one of them isn't waiting for vulnerabilities to become actual deaths. Former Vice President Dick Cheney, fearing hackers would go after his pacemaker, had its wireless capabilities removed years ago. Some cautious patients might want to follow his lead.

Related Resources:

• It's Insanely Easy to Hack Hospital Equipment (Wired)
• The Internet of Insecure Things: Hacking 'Smart Devices' (FindLaw's Technologist)
• NSA Summer Camps Train an Army of Pubescent Hackers (FindLaw's Technologist)
• Hackers Blackmail Adultery Website Ashley Madison, Threaten Users (FindLaw's Technologist)