The capability to remotely monitor, interrogate and reprogram implanted medical devices provides important benefits for patients. It also makes the devices vulnerable to attack, similar to the way garage door openers, remote start systems and even cars can be exploited if they don’t have adequate security.
In August 2012, the US General Accounting Office (GAO) issued a report asking FDA to develop medical device safety guidelines to address potential threats such as hacking and malware. Historically, the agency has focused on the evaluation and mitigation of risks from unintentional threats – such as interference from other electronic devices – but has not specifically considered intentional threats.
There have been no reports of malicious hacking to date, but it could happen. According to GAO’s report,
There have been four separate demonstrations in controlled settings, showing that the intentional exploitation of vulnerabilities in certain medical devices is possible. Each of these demonstrations involved laboratory tests and did not result in patient harm or death. The first demonstration occurred in 2008, when a team of academic researchers, working in a controlled setting, showed that they could remotely exploit a defibrillator by delivering a command, using the associated wand and programmer. A second demonstration occurred in 2010, when a team of academic researchers remotely exploited an insulin pump, preventing it from operating properly. Two additional demonstrations occurred in 2011, when two security experts, also working in controlled settings, showed on separate occasions that they could also remotely exploit an insulin pump. Both of these experts demonstrated they could manipulate the amount of insulin dispensed by the device. These demonstrations occurred at varying distances. For example, one demonstration occurred at a distance of 100 feet, while another occurred at approximately 300 feet.
At a conference in Australia last week, security researcher Barnaby Jack used a laptop to take control of an implantable cardioverter-defibrillator (ICD) from up to 50 feet away, triggering the delivery of an 830V shock. Besides the obvious safety concerns, unauthorized access poses risks to privacy as well as the integrity of data stored by a device. Many devices have no capability to discriminate between authentic and inauthentic commands. You can read more about the previous demonstrations here, here and here.