Cybersecurity: Could Your Personal Medical Device be Hacked?

Many of today’s advanced medical devices provide the benefits of real-time information to medical professionals. Insulin pumps, defibrillators, and cardiac monitoring devices send data over the Internet, increasing the ability of healthcare providers to monitor and treat their patients to the best of their ability.

These advances, however, also leave medical devices vulnerable to potential cybersecurity threats, including security breaches, which could impact the safety and effectiveness of the devices and leave patients at risk of serious injuries and even death.

FDA Warns of Hacking Threats to Personal Medical Devices

In October 2018, FDA Commissioner Scott Gottlieb, M.D., released a statement on the FDA’s efforts to strengthen its medical device cybersecurity program. “The threat of cyber attacks is no longer theoretical,” he wrote.

“Cyber criminals and adversaries can inflict significant harm on networks through relatively simple methods, like emails or bugs known as malware.”

The FDA has warned about hacking dangers related to specific devices several times over the past few years. In June 2019, it alerted patients and health care providers to the fact that certain Medtronic MiniMed insulin pumps had potential cybersecurity risks, and that diabetes patients should switch to models better equipped to protect them against these risks.

The danger was that an unauthorized person could potentially connect wirelessly to the vulnerable pump and change the settings to either over-deliver insulin to a patient, leading to low blood sugar (hypoglycemia), or stop insulin delivery, leading to diabetic ketoacidosis. Medtronic recalled several pumps and offered replacements.

The FDA has sent out similar warnings concerning potential cyberattacks on implanted heart devices like defibrillators, as hackers could use the monitors to control the owners’ heart devices. In 2017, Abbot (formerly St. Jude Medical) recalled 465,000 of their pacemakers after learning that they could be hacked in such a way to allow an unauthorized user to access a patient’s device, modifying programming commands.

FDA Provides Guidance to Manufacturers in Designing More Secure Products

In response to these threats, the FDA—working with the MITRE Corporation—launched a cybersecurity “playbook” focused on promoting cybersecurity readiness. The administration also brought together multiple stakeholders, including manufacturers, hospitals, health care providers, government entities, and cybersecurity researchers “to allow for increased information sharing and transparency around cybersecurity risks,” Gottlieb stated.

Premarket guidance from the FDA identifies issues manufacturers should consider in the design of their devices to ensure their products are adequately equipped to protect against cybersecurity threats. Post-market guidance also outlines a risk-based framework device-makers should use to make sure they could respond to cybersecurity threats once their devices are on the market.

So far, the FDA is not aware of any reports of an unauthorized user hacking a medical device in use by a patient, but the risk of this type of attack exists.