The government has warned about the hacking risks of connected medical devices for years. And on Friday, U.S. regulators said that one pump used to deliver medicine to patients, the Symbiq Infusion System from medical device-maker Hospira, can be hacked by someone who gains access to a hospital's computer network. "This could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies," the Food and Drug Administration said in guidance posted online.
That's a potentially fatal flaw, experts said. "There's no question that these vulnerabilities can be used to kill someone -- we wrote an exploit that would do just that and gave the research to the Department of Homeland Security and the FDA," said Billy Rios, a former Google software engineer who now works as a security consultant and is credited by the Department of Homeland Security with finding issues with some of Hospira's pumps.
Jay Radcliffe, who demonstrated a way to wirelessly hack a computerized insulin pump in 2011, said the risks posed by this type of vulnerability was potentially scarier than some other medical device vulnerabilities. "These devices are actively connected to a hospital's network -- and depending on the set up of a hospital's network someone might be able to potentially access that from the Internet," he said.
The FDA "strongly" encouraged health-care providers to stop using the pumps. But the FDA said neither the agency nor Hospira was aware of the issue being exploited in a health-care setting. Hospira stopped making the device as part of a larger strategy shift and is in the process of removing it from the market, the company said in a statement posted to its Web site.
"As we learn about vulnerabilities, we are committed to continuing to communicate with customers regarding cybersecurity, software and infusion pump updates and/or enhancements," the company said.
The FDA has previously warned about security vulnerabilities in other Hospira-distributed drug pumps. And Rios was critical of Hospira's response to the problem, which he says appears to push to get hospitals to buy new versions of the pumps rather than providing fixes for products already on the market.
"In alignment with Hospira’s cybersecurity roadmap, we’ve designed our next-generation infusion systems with enhanced network security protections in place," the company's statement on the Symbiq vulnerability notes.
But these sort of issues aren't unique to Hospira, according to experts. "We're still in the process of getting all the companies to the same level of understanding that if your device uses computers, you have to be prepared to patch them and update them," said Radcliffe.
Many established medical device companies have a process for responding to reports of vulnerabilities with their technology, but the first time such a company is told by an independent security researcher there may be a problem, they could be suspicious that they are being blackmailed or dealing with a criminal hacker, he said.
Radcliffe said he doesn't know of any medical device hacks that have resulted in patient injury. But if such an attack had occurred, it may not have been discovered, he said. "People who are on these devices are typically very sick, so if they die someone might not think to look at the medical device to see if something intentional occurred," Radcliffe said.
And such a death may be difficult to investigate from a technical perspective, according to experts. "The forensics capabilities available in these devices is really poor -- it would be really difficult to determine if these had been attacked," said Rios.
Even if a hacked medical device isn't used to harm a patient, it could lead to other problems: A report released by security firm TrapX in May said that it found that attackers had used medical devices such as x-ray scanners as a way to penetrate other parts of a hospital's network, potentially exposing patient information.