The US Department of Homeland Security confirmed on Wednesday that it is investigating about two dozen cases of reported cyber security flaws in medical devices from various vendors.
Members of DHS's Industrial Control Systems-Cyber Emergency Response Team (ICS-CERT) are currently engaged with officials from the US Food and Drug Administration (FDA), medical device manufacturers, and healthcare professions to address the vulnerabilities, DHS spokesman S.Y. Lee said Wednesday.
Reuters earlier had broken news of the investigation and quoted unnamed sources as identifying Hospira Inc., St. Jude Medical Inc., and Medtronic Inc. as among the vendors whose products are being scrutinized by the DHS.
[Should the government have access to your prescription information? Read Prescription Database Privacy Case Heads For Legal Showdown.]
The investigations, which started quietly about two years ago, stem from growing fears of malicious hackers exploiting security flaws in modern network-connected medical devices to lethal effect, Reuters said.
Lee today confirmed the investigations, but did not identify any of the companies or devices that are being reviewed for flaws. "DHS actively collaborates with public and private sector partners every day to identify and reduce adverse impacts on the nation's critical cyber systems," Lee said in an emailed statement. The investigation is part of the ICS-CERT's ongoing mission to coordinate vulnerability remediation efforts in critical infrastructure systems.
According to Reuters, the products being reviewed include an infusion pump from Hospira that is used to deliver drugs and implantable heart devices manufactured by Medtronic and St. Jude Medical. Also included in the review are medical imaging systems, hospital networking equipment, and a wide range of other technologies, Reuters said.
In each case, the DHS apparently is working with the manufacturers to identify and repair defective code in their products that would allow attackers to take control of them.
Officials from Medtronic, St. Jude Medical, and Hospira did not immediately respond to a request seeking comment.
News of the DHS investigation coincides with an FDA-sponsored public workshop on collaborative approaches to medical device and healthcare cybersecurity being held in Arlington, Va., this week. The event is designed to bring together medical device manufactures, healthcare providers, IT and security administrators to discuss ways to identify and mitigate security threats in medical technologies.
The DHS investigation is another manifestation of the growing concerns over security vulnerabilities in modern network-connected medical devices and equipment. So far, there have been no publicly reported instances where an attacker has actually compromised a medical device or equipment to either steal data from it or to sabotage it.
Even so, many believe that such attacks are both feasible and not very far away from happening. Security researchers such as the late Barnaby Jack and Jay Radcliffe have already demonstrated how hackers can take control of wireless-enabled medical devices to create all sorts of havoc.
Barnaby, who died in 2013 just days before a scheduled BlackHat presentation on lethal insecurities in medical implants, showed how a wireless-enabled insulin pump could be tricked into delivering a lethal dose of insulin to anyone wearing the pump. In another demonstration, he showed how an attacker could potentially take control of a wireless-enabled pacemaker from a leading vendor and get it to deliver a deadly shock.
Concerns over such attacks prompted former vice president Dick Cheney's doctors to disable the wireless functionality of his pacemaker last year.
The FDA, which has been shepherding efforts to improve cyber security in the medical equipment market, released a new set of recommendations earlier this month for protecting network-enabled devices. The recommendations call on equipment manufacturers and device makers to implement steps to identify and reduce vulnerabilities that affect device functionality and security. But many security researchers believe that more action is needed to spur real change.
The FDA "could also do something like GSA did for cloud services -- require devices to actually be tested for security vulnerabilities by third-party assessors that are licensed and certified to do the testing," said John Pescatore, director of emerging security threats at the SANS Institute.
"Many medical devices and equipment are sort of like Windows was before the worms of 2001 and 2003 caused so much havoc that Bill Gates got security religion and forced Microsoft to change," he noted. The big difference in the health industry is the sheer number of vendors. "There is no one vendor here that has 90% market share. [So] the problems when they hit will be too spread out."
The owners of electronic health records aren't necessarily the patients. How much control should they have? Get the new Who Owns Patient Data? issue of InformationWeek Healthcare today.