Pacemakers are easy targets for hackers, the US Food and Drug Administration< has warned in a cybersecurity briefing.
The small devices have been saving lives for decades, and have now been developed to send information about a patient’s heart to their doctor. The latest models can even be fixed remotely if something goes wrong.
But, says a Daily Mail report, the US government has issued rules for addressing cyber vulnerabilities in these life-saving medical devices as well as, insulin pumps and imaging systems.
“Cybersecurity threats are real, ever-present and continuously changing,” Suzanne Schwartz, a senior US Food and Drug Administration official is quoted in the report as saying. “And as hackers become more sophisticated, these cybersecurity risks will evolve.”
US officials have been investigating flaws in pacemakers since August when a batch ran out of battery three months before they were supposed to, leading to at least two deaths. The medical devices, made by St Jude Medical, had a rare defect that caused them to fail much earlier than expected. The report says after five months of investigation – with more to go – the FDA has released 30 pages of guidance about the devices’ security flaws.
The report says the allegations, which surfaced in August, underscore the need for clear government rules on identifying and mitigating the impact of security vulnerabilities in medical equipment.
The FDA has been grappling with such issues for several years in response to a surge in research on potentially life-threatening security bugs in medical devices from so-called ‘white hat’ hackers looking to identify flaws before they are exploited to harm patients.
The agency in 2014 issued guidance on how manufacturers should address cyber security when developing new products, though the rules did not cover equipment that was already on the market.
In 2015 the FDA advised hospitals to halt use of one of Hospira Inc’s infusion pumps, saying a security vulnerability could allow cyber attackers to take remote control of the system.
The report says the new guidelines detail how manufacturers should identify and fix cyber vulnerabilities in products that are already on the market. The rules encourage medical device makers to establish programs to make it easy for security researchers to report new bugs.
“There is greater clarity for manufacturers, patients and hospitals,” said Josh Corman, an expert on medical device security who is director of the Atlantic Council’s Cyber Statecraft Initiative.