Software vulnerabilities in some medical devices could leave them susceptible to hackers, FDA warns
Nefarious individuals hacking into your pacemaker? It’s not just the plot of some sci-fi movie. It’s a real-life threat, according to the Food and Drug Administration.
The FDA is warning patients, medical providers and hospitals that software vulnerabilities in some medical devices might allow a hacker to take control of items that connect to wireless networks — think pacemakers and infusion pumps — or find a back door into entire hospital networks.
“These cybersecurity vulnerabilities may allow a remote user to take control of a medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent a device from functioning properly or at all,” according to a statement from the agency.
The FDA identified 11 cybersecurity holes in operating systems that run third-party software called IPnet, which computers use to communicate with each other. IPnet is used in many medical devices.
A possible hack could be difficult to detect
So far there have been no reports of devices or networks being hacked this way, but the agency wants patients to remain wary.
“While we are not aware of patients who may have been harmed by this particular cybersecurity vulnerability, the risk of patient harm if such a vulnerability were left unaddressed could be significant,” said Suzanne Schwartz, a deputy director in the FDA’s Center for Devices and Radiological Health. “It’s important for manufacturers to be aware that the nature of these vulnerabilities allows the attack to occur undetected and without user interaction. Because an attack may be interpreted by the device as a normal network communication, it may remain invisible to security measures.”
If you’re a patient, the FDA wants you to talk to your health care provide and determine whether your medical device could be affected by the software vulnerabilities. And seek medical attention immediately if you think your device is suddenly operating differently.
Health care providers are urged to work with device manufactures to figure out whether medical devices in hospitals and other facilities could be affected and develop risk mitigation plans if they are.
