A heart defibrillator remotely controlled by a villainous hacker to trigger a fatal heart attack? Yes now its possible, The Government Accountability Office has released a report warning that medical devices are vulnerable to hacking and calling for greater FDA oversight of such devices.
The investigation into electronic medical-device safety was initiated after computer-security researchers found dangerous vulnerabilities in insulin pumps. The FDA in 2009 issued guidance urging hospitals and medical device manufacturers to work together to eliminate security risks. But in September, the Government Accountability Office issued a report warning that implantable medical devices could be vulnerable to hacking, posing a safety threat, and asked the FDA to address the issue.
“Even the human body is vulnerable to attack from computer hackers,” Representative Anna Eshoo, a Democrat from California, said in a statement on her website. Preventing potential hacking it might seem as simple as requiring a password for access. The operating systems that hospitals use are an even bigger challenge.
Barnaby Jack, who worked separately as a professional hacker for McAfee, both demonstrated ways to manipulate the wireless capabilities on devices made by Minneapolis-based Medtronic Inc. (MDT) to remotely take over the pumps and dispense fatal doses of insulin.
Earlier research bolstered their claims. A 2008 study from a consortium of academics found that a popular pacemaker- defibrillator could be reprogrammed to deliver deadly shocks. According to a 2011 report from the World Society of Arrhythmias, in just one year, 2009, 133,262 defibrillators were implanted in patients in the United States 434 devices for every million people and that’s just one device for one condition.
To address security issues, the GAO recommends in the report that the Secretary of the Department of Health and Human Services direct the Commissioner of the FDA to develop and implement a more comprehensive plan to assist FDA in enhancing its review and surveillance of medical devices that more fully incorporates information security into these devices.