Out-Law / Your Daily Need-To-Know

US investigators probe alleged life threatening medical device security flaws

Out-Law News | 24 Oct 2014 | 5:16 pm | 1 min. read

Alleged cyber security flaws in approximately two dozen medical device products are being investigated by US officials, according to a Reuters report.

The Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) is investigating the cases, Reuters said. ICS-CERT conducts tests and analysis of security risks to US critical infrastructure.

Heart implant devices and infusion pumps are among the devices that are being scrutinised for security flaws, the report said.

An unnamed official said by Reuters to be close to the ongoing investigations said that flaws that could allow medical devices to be controlled by hackers raise a potential threat to life.

"It isn't out of the realm of the possible to cause severe injury or death," the source told Reuters.

Last year ICS-CERT warned that a password vulnerability put hundreds of medical devices at risk of hacking.

It said researchers had found approximately 300 medical devices, including patient monitors, ventilators, drug infusion pumps, surgical and anaesthesia devices, external defibrillators and laboratory and analysis equipment, were at risk because of the flaw. The vulnerability was identified in devices made by approximately 40 different manufacturers.

ICS-CERT said at the time that there was no evidence that the password vulnerability had been exploited.

Earlier this month, the US Food and Drug Administration (FDA), published new guidelines on cyber security for medical devices (9-page / 332KB PDF).

"As medical devices become more interconnected and interoperable, they can improve the care patients receive and create efficiencies in the healthcare system," the FDA said in a statement. "Some medical devices, like computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device. By carefully considering possible cyber security risks while designing medical devices, and having a plan to manage system or software updates, manufacturers can reduce the vulnerability in their medical devices."

Suzanne Schwartz of the FDA said no medical device is "threat-proof".

"It is important for medical device manufacturers to remain vigilant about cyber security and to appropriately protect patients from those risks," Schwartz said.