Medical-device hackers could put countless patients in danger

It’s like something out of a Tom Clancy novel.

During his last year in office, doctors quickly removed the wireless function from Vice President Dick Cheney’s pacemaker.

They were worried that someone could hack into the device and assassinate him.

It sounds like real cloak-and-dagger stuff. But experts are warning that the medical devices that millions of us depend on to keep us alive are so vulnerable that even a high school hacker can break into them.

And what these hackers could do if they get control of our devices is almost too terrible to think about.

A tragedy waiting to happen
Just think about all the things we do to protect our personal and financial information. We don’t give out our Social Security numbers online — and our credit cards even come with those fancy new chips.

But when it comes to guarding our medical devices from hackers, it doesn’t look like anyone is lifting a finger to keep us safe.

In fact, just two years ago, a cybersecurity expert showed a shocked FDA just how fast he could hack into a Hospira infusion pump, which is used to dispense insulin and even chemo drugs.

It took him just minutes to crack the password and take over the device — and if he hadn’t been a “good guy” hacker, he could have easily delivered a deadly dose of drugs to a hospital patient.

The problem is that almost everything we touch these days is either sending out information via Bluetooth, or connected by Wi-Fi to the Internet. That’s especially true for medical devices like:

  • Cardiac defibrillators and pacemakers
  • Insulin pumps and glucose monitors
  • Gastric stimulators
  • Deep brain neurostimulators, and
  • Cochlear implants.

And that makes for one giant security threat unlike anything we’ve seen on TV on in the movies.

Breaking into computerized devices through Bluetooth or the Internet is exactly how financial information is so often stolen. Only in the case of medical equipment, it’s a lot more urgent than when your credit card or bank account number is lifted.

Finally, however, the FDA is limping into “action,” just releasing a 25-page draft guidance containing advice for device manufacturers to follow about patching security bugs and alerting consumers.

But only if they feel like doing it.

Actually, under the guidance, a company could just try and fix — or even cover up — a security problem without telling anyone, including the FDA. They’re only required to report something if it results in a person dying.

And if you think something smells mighty fishy about that, you’re not alone.

The president of the nonprofit group Consumer Watchdog, Jamie Court, says those pretty-please recommendations fall way too short. What we need is a law requiring device makers to improve and upgrade their systems to prevent attacks.

But that probably won’t be happening, he added, until a Congressman’s defibrillator is hacked.

Look, we know that when the FDA finally admits to a problem, it’s gone way too far. As Court said, if something isn’t done soon “someone is going to die.”

And with untold numbers of patients hooked up to or wearing these devices, it’s just a matter of time before tragedy strikes.

That’s why we all need to submit a formal comment at the Federal Register about the FDA’s weak-kneed industry guidance. We have until April 21 to let the agency know that “recommendations” aren’t going to do it.

It’s time the FDA took a firm stand on this. This is something that’s far too important just to leave to the foot-draggers of the federal government to do at their own pace.

You can go here to leave a comment for the FDA.

Sources:
“The FDA wants medical device creators to pay attention to cybersecurity” Ashley Carman, January 19, 2016, <i>The Verge</i>, theverge.com