Pacemakers and insulin pumps can be hacked, experts say

Pacemakers and insulin pumps can be hacked, experts say

NEW YORK, June 1 (UPI) — The millions of people in the United States with pacemakers and insulin pumps need to remember that the devices that keep them healthy use software, which means they are susceptible to hacking, experts say at UPI.

Although the risk of cyberattacks on these personal medical devices is low, it is not zero, they said, which is why the Food and drug administration recently updated its orientation project on security considerations for them and plans to present them to industry leaders on June 14.

Despite “cybersecurity vulnerabilities” detected in devices made by Abbott when it was known as St. Jude Medical, there have been no reports of pacemaker hacks, the FDA told AFP. era.

Still, the incident was a “fascinating lesson for us and really opened our eyes to the possibilities here,” Dr. David J. Slotwiner, a cardiologist and cardiac electrophysiologist who treats patients fitted with automatic defibrillators, told UPI. implants and pacemakers.

“Hacking is definitely something people with these devices need to be aware of and know is a possibility,” said Slotwiner, who is chief of cardiology at New York Presbyterian Hospital-Queens and wrote on potential cybersecurity issues with these life-saving technologies.

Just a hypothetical problem – for now

A 2012 episode of the Showtime series “Homeland” – appropriately called “Broken Hearts” – featured a storyline in which the fictional Vice President of the United States was assassinated by terrorists who hacked into the pacemaker that helped control his heart, Slotwiner says.

However, in a case of art imitating life, the former vice president Dick Cheney told CBS’s “60 Minutes” in 2013 that he asked his doctors to turn off the wireless function of the pacemaker he had implanted in 2007.

Apparently, he and national security officials feared that terrorists could hack into the device and send signals to him to shock his heart into cardiac arrest, he said at the time.

“I was aware of the danger [and] I found it believable,” Cheney told “60 Minutes.”

In reality, however, the FDA has so far received no reports of “deliberate or intentional medical device compromises due to computer exploits,” according to an agency spokeswoman.

Yet last spring, a ransomware attack affecting 40 or more hospitals across the country caused radiation therapy machines used in life-saving cancer treatments to be unavailable for nearly a week, the agency said.

Similarly, a ransomware attack called “want to crydisrupted patient care at National Health Service facilities in Britain in 2017.

In ransomware attacks, hackers intentionally infect computer systems with a virus and effectively hold it hostage until victims meet certain financial requirements, according to Slotwiner.

While these incidents do not target implantable or wearable devices, such as pacemakers, defibrillators and insulin pumps that patients use offsite, they could become collateral damage in attacks on hospitals and manufacturers, said healthcare cybersecurity consultant Drexel DeFord.

Currently, the risk of cyberattacks with these devices remains “pretty low”, given that “even when they come in for a software update, the time they spend connected to the health system network is minimal”, said DeFord, a former chief information officer for several major hospitals.

However, as hackers become more sophisticated, that could change, he said.

For this reason, Congress is considering legislation, called the Patches Actthat would require device makers seeking FDA approval for their devices to demonstrate “reasonable assurance of safety” in cybersecurity, DeFord said.

“Right now, the risk of these smaller personal devices being part of a cyberattack is extremely low, but if you’re the person it happens to, it almost doesn’t matter,” he said. -he declares.

The Patch Act is for new devices seeking FDA clearance, but, for now, it’s for “older legacy devices” that went into service “at a time when there was less concern” about the cybersecurity that are vulnerable, according to Dr. David C. Klonoff, who has studied cybersecurity issues.

Most new devices for people with diabetes, including insulin pumps and glucometers, have software designed to “patch loopholes” and protect against cyberattacks, said Klonoff, medical director of Diabetes Research. Institute at Mills-Peninsula Medical Center in San Mateo, California.

“No one has a greater stake in preventing cyberattacks than manufacturers,” said Slotwiner of the New York Presbyterian.

The fear of a product becoming the first implicated in a cyberattack-related death and resulting litigation are huge motivators, he added.

Cybersecurity hygiene

Although the software engineers he works with have suggested that those with cardiac devices be on the lookout for “changes in the way they operate,” that’s really not practical, Slotwiner said.

Rather, patients — and their doctors — should adhere to “standard cybersecurity hygiene practices,” he said.

This includes adhering to remote device monitoring protocols and observing scheduled office visits for software updates, Slotwiner said.

These updates typically include patches designed to improve device security, he said.

“I always tell my patients when they get a new defibrillator or pacemaker that there will be software or firmware updates over the life of their device,” Slotwiner said.

“These updates are part of supporting the device,” he said.

Additionally, people who use medical devices should keep an eye on the news to see if the manufacturers who made the products or the healthcare facility that prescribed or implanted them – and therefore monitors them – have been targeted. of a cyberattack, DeFord said.

Still, “what we don’t want to see are people fearing being hit by a cyberattack and disconnecting their devices from remote monitoring systems,” as former Vice President Slotwiner said.

“These monitoring systems ensure that the device is working properly and can detect important health issues,” he said.

Instead, if patients are concerned that their device has been compromised in a cyberattack, they should contact their doctor and, if possible, the product manufacturer for advice, he added.

Hackers “have built really sophisticated high-tech companies that have information technology departments and software development teams,” DeFord said.

“That’s what we’re up against, and the healthcare industry needs to keep pace,” he said.


Comments are closed.