US officials are becoming increasingly concerned that flaws in medical devices could be vulnerable to hacking attacks and potentially put the live of the patients using them at risk.
The US Department of Homeland Security [DHS] is poring over around two dozen instances of cyber-security flaws in medical devices and hospital equipment that could eventually be exploited for illicit means, a senior official told Reuters.
Among the devices being probed by the unit’s Industrial Control Systems Cyber Emergency Response Team [ICE-CERT] are implantable heart devices manufactured by Medtronic and St Jude Medical, and an infusion pump from Hospira, according to people familiar with the matter.
The DHS is already working with the companies involved to find the flaws and then patch up software bugs and other vulnerabilities before they fall prey to hackers or malicious actors.
"These are the things that shows like 'Homeland' are built from,” said the official, referring to the case of a fictional vice president of the US that is killed by a cyber attack in the TV show. "It isn't out of the realm of the possible to cause severe injury or death.”
The agency has been looking at healthcare equipment for the past two years and it comes after the country’s Food and Drug Administration [FDA] recently released guidelines for manufacturers and healthcare providers to make sure devices are secured.
In response to the claims, Hospira spokeswoman Tareta Adams didn’t allude specifically to its infusion pump, although she did confirm that the company is working on firming up the security of its products.
"Hospira has implemented software adjustments, distributed customer communications and made a commitment to evaluate other changes going forward, while ensuring we are not adversely impacting the ability of our devices to meet hospital and patient needs, and maintain compliance with FDA product requirements," Adams said in the statement.
One expert thinks that the threat posed by flaws of this ilk is negligible and that other problems with medical equipment, such as inconsistent user interfaces, are far more of a danger.
"We've got no documented cases of people being killed as a result of hacking of medical equipment, but there are many instances of people dying as a result of safety usability failures," said Ross Anderson, professor of security engineering at the University of Cambridge, told the BBC. "You can find instances of pumps from the same manufacturer where the up key and the down key might be '2' and '5' on one pump and '2' and '7' on another - the design of some medical equipment interfaces is as careless as the design of aircraft cockpits was in the 1930s.