FDA Issues Warning About Hackable Medical Devices

Last week, the Food and Drug Administration issued a safety notice: an infusion pump, used in hospitals all over the country, is vulnerable to cyber attack. The FDA “strongly encourage[s]” hospitals to discontinue their use of the pump.

The infusion pump, used in hospitals to deliver a programmed amount of fluids into a patient’s body, is made by the company Hospira– we’ve pointed out their pumps in the past as a possible security threat. It’s one of several kinds of devices integral to patients’ daily lives—10 million Americans use devices like pacemakers, insulin pumps, and cochlear implants. Some, like pacemakers, only send information via a wireless connection, but others both send and receive information. That means that hackers could increase or decrease the device’s function, which could spell catastrophe for the patient.

The FDA has known about the security threat for a while. It’s even infiltrated the popular psyche—in an episode of Homeland, hackers kill the vice-president by disabling his pacemaker. In real life, it would probably be less dramatic. Hackers could mess with devices, “just because they can,” the president of Consumer Watchdog, a consumer advocacy organization, Jamie Court told KQED. And though the FDA has known about the issue for some time and issued guidelines for manufacturers to make medical devices more secure, some, like Court, claim that they aren’t strict enough.

Though this is the first time the FDA has issued such a warning for a medical device based on its cyber security risk, it very likely won’t be the last. Researchers have shown that they can hack the devices, and some incidents have already occurred. Others claim that medical devices will always be imperfect and require monitoring. But at least they could be much more secure than they are now, and the FDA is expected to release updated guidelines for improvements later this year.