The U.S. government is taking a closer look at how to stop hackers from taking control of medical devices like pacemakers. An inspector general’s report last month found the Food and Drug Administration’s “plans and processes were deficient for addressing medical device cybersecurity compromises.” The FDA disputes that and says it “has worked proactively” on the issue.
So far, neither government officials nor security experts have identified any incidents in which a computer hacker has harmed a patient through a medical device. But two cybersecurity researchers say those devices have massive vulnerabilities that make it easy for hackers to break in, reports CBS News correspondent Anna Werner.
“There’s nothing stopping us from, in a garage, taking them apart and hacking them. Nothing,” Billy Rios said. Talk to him and Jonathan Butts about the security of medical devices and they’ll say:
“We’ve yet to find a device that we’ve looked at that we haven’t been able to hack,” Butts said.
The two security researchers have examined critical machines like pacemakers, drug infusion pumps and insulin pumps – devices that help keep people alive – and found all have vulnerabilities that would allow someone else to take control of the machines. The reason? All of those devices are run by computers – and computers can be hacked.
For instance, take an insulin pump made by device manufacturer Medtronic.
“Anyone that has this device, that has one of these controllers, we can take it over,” Rios said.
They showed us how they can send a wireless signal, telling the pump to deliver the wrong amount of insulin to a patient nearby who might be wearing it. They also found vulnerabilities in a Medtronic pacemaker that could allow a hacker to reprogram the device from anywhere – disrupting a patient’s heart rhythms in a way that could hurt or kill them.
They’re scenarios that, until now, have been the stuff of TV shows like “Homeland.”
“It sounds like a method for murder,” Werner said. “Am I right?”
“Yeah, there’s – I mean, there’s no coming back from some of these exploits, right?” Rios said. “If a pacemaker for a patient gets hacked, you can’t take that back… You can’t issue them a new credit card. You can’t tell them change their password. You can’t issue them credit monitoring. They’re hurt. They’re killed.”
The pacemaker vulnerability was serious enough they thought Medtronic would want to address it immediately. So in January of 2017, they sent the company a report detailing what they’d found.
“It seemed to us that a lot of it was being downplayed by the manufacturer,” Rios said. “I mean, they were saying, ‘Hey, this isn’t – this isn’t possible. It’s not feasible.’ The way that they characterized it is wrong.”
“They were just completely disagreeing with everything,” Butts said.
So the two researchers decided they had to prove it by writing the code, then demonstrating the potential dangers of both the pacemaker and the insulin pump at a prestigious information security conference.
“After the two live demonstrations, people actually stood up and clapped, which was kind of – took us by surprise,” Rios said.
Medtronic’s response? The company issued a statement saying it had addressed the problem and that “existing security controls mitigate the issue.” But the vulnerability caught the attention of the FDA.
“Any device can be hacked and that’s often not understood,” said Dr. Suzanne Schwartz, who oversees medical device cybersecurity at the FDA. She said manufacturers have been playing catch-up.
“It’s a culture shift,” Schwartz said. “So the actions and the activities that we’re seeing manufacturers take are very encouraging, they’re very promising, but we still have a ways to go.”
In the case of the Medtronic pacemaker, the researchers’ work prompted the FDA to start asking questions of its own.
“That was when Medtronic finally came out and said what we had been saying all along was indeed correct. That there is remote concern, and there is potential to cause patient harm,” Butts said.
Last month, the FDA took action, sending out a warning about certain Medtronic pacemakers, and the company issued a software fix. Medtronic has also instructed users of its insulin pumps to disable certain features to minimize risks. The company declined an on-camera interview, but in a statement to CBS News, Medtronic admitted it “took entirely too long to process, validate and mitigate” the vulnerabilities discovered by the two researchers.
“So do you feel vindicated?” Werner asked.
“I don’t know that we’re looking for vindication,” Butts said.
“At the end of the day… for those manufacturers that don’t want to move and don’t want to fix their devices, I hope they realize that the repercussions are really serious. And we can’t wait for something to happen before they decide to try to fix something,” Rios said.
Medtronic told us it began taking steps to mitigate the vulnerability risks even before Rios and Butts’ live demonstrations. It also told us it has since “significantly improved” its response time to reports of vulnerabilities. That insulin pump, however, is still in use, though the company claims it’s being phased out.