FDA warns medical devices vulnerable to hackers

Posted at 10:29 PM, Aug 04, 2015
and last updated 2015-08-04 22:29:01-04

WASHINGTON -- The federal government issued a warning about a medical device that could be tampered with by hackers. The FDA and Department of Homeland Security issued a statement late last week that "strongly encourages" health care facilities to discontinue the use of a particular I-V infusion pump after it was discovered the devices are vulnerable to cyber security threats.

The warning says the computerized pumps produced by Hospira--which continuously deliver medication over an extended period--could possibly be accessed remotely through a hospital's network.

Andy Syrewicze, senior cloud services engineer with Trivalent Group in Grandville, said hack threats against medical devices like pacemakers or medication pumps and other technology are unfortunately part of the new and ever-connected "normal" in which we now live.

“We’re definitely starting to see the proliferation of this concept we call ‘The Internet of Things,'" Syrewicze said. "It’s the idea that any device, no matter how small, can be connected to the Internet."

This latest warning from the FDA comes at a time of growing concerns over possible breaches that can extend well beyond credit card or personal information. Last week, Detroit automaker Chrysler recalled more than 1 million vehicles after hackers were able to successfully tap into a car and control it over the Internet.

“As developers and manufacturers  of these devices continue to work on strengthening their product and making it more secure, you’re going to have this cat-and-mouse game, with hackers and attackers trying to find ways to get around those new innovations," Syrewicze said.

“If a device is listening wirelessly or has some sort of access capability, there is someone who is going to figure out a vulnerability for that device. It’s almost impossible to protect against everything."

Thomas Bryant at Wyoming-based Information Systems Intelligence (ISI) said the security holds discovered with the Hospira pumps are extremely troubling.

“Essentially, you could actually connect up to that device, that server, and, in essence, if you were able to compromise it, you could actually send signals and reprogram other devices out there, like changing levels of medication be administered," Bryant said.

“It’s a little scary."

Luckily, the FDA says there have not been any reports of such unauthorized access to one of the pumps in a health care setting.

But Bryant fears it could only be a matter of time, adding that the healthcare industry, especially, is slower than others to update software and secure networks. Bryant said ISI and others in the industry are working daily to make improvements in securing software to protect patients.

“The one fear is always somebody has to die for this to make a change happen, and hopefully it doesn’t ever get to that point," he said. “The biggest thing people can do is just be aware that these risks are out there."

Hospira stopped manufacturing the particular pumps in 2013, but many were still available to hospitals through third-party retailers.