US 'probes hackable flaws' in medical devices

X-Ray Image copyright Thinkstock
Image caption The US government is reported to fear that pacemakers could be hacked

US officials have revealed they are investigating about two dozen suspected examples of medical equipment vulnerable to hack attacks, potentially putting patients' lives at risk.

The products include heart implants and drug infusion pumps, according to a report by the Reuters news agency.

It said investigators were concerned that flaws in the kit could be used to cause heart attacks and drug overdoses.

There are no known examples of deaths having happened this way.

One expert suggested that investigators' efforts would better channelled elsewhere.

But the Department of Homeland Security indicated its fears were justified.

"It isn't out of the realm of the possible to cause severe injury or death," an unidentified government official told Reuters.

"These are the things that shows like Homeland are built from."

The TV series Homeland featured a plot in which a fictional US vice-president was targeted via his pacemaker.

Image copyright Thinkstock
Image caption There have been warnings that drug overdoses could be given by internet-connected kit

Dick Cheney, who was vice-president under President George W Bush, later revealed he had feared a similar attack and had the wireless connectivity of his pacemaker disabled.

Hacked pumps

The inquiry is reportedly being co-ordinated by the US Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-Cert).

It is said to also cover medical imaging equipment and hospital networking systems.

The probe is reportedly an extension of research by Barnaby Jack, a security expert who died in July 2013, a week before he was scheduled to give a talk on the topic at the Black Hat conference.

He had earlier told the BBC about a way he had found to compromise insulin pumps used by diabetic patients, which connected to the internet to get updates.

"We can influence any pump within a 300ft [91m] range," Mr Jack told the BBC. "We can make that pump dispense its entire 300-unit reservoir of insulin and we can do that without requiring its ID number."

Image copyright AP
Image caption Barnaby Jack spoke to the BBC in 2012 about medical device hacks

Reuters said that government staff told it they were working with device-makers to identify and patch software bugs and other vulnerabilities.

Three manufacturers, whose kit is believed to affected, told the news agency that they had already made safety improvements, but declined to provide specifics. The BBC requested further comment and one of the firms, Medtronic, provided a statement.

"We are committed to addressing the industry-wide issue of wireless hacking," it said.

"We believe the risk to an individual customer is low and the therapeutic benefits of our cardiac devices for treating heart conditions and insulin pumps for diabetes far outweigh this risk.

"Medtronic has already taken a number of concrete actions to enhance device security and... will assess whether additional security measures can be implemented without compromising the therapy that the device is designed to deliver to patients."

However, one expert suggested that the danger of such hacks was minor when compared with the risks caused by another tech-related problem with medical equipment - inconsistent user interfaces - and that efforts would be better spent on that issue.

"We've got no documented cases of people being killed as a result of hacking of medical equipment, but there are many instances of people dying as a result of safety usability failures," said Ross Anderson, professor of security engineering at the University of Cambridge.

"You can find instances of pumps from the same manufacturer where the up key and the down key might be '2' and '5' on one pump and '2' and '7' on another - the design of some medical equipment interfaces is as careless as the design of aircraft cockpits was in the 1930s.

"And there have been tragic cases, not just of kids being killed when they are given 10 times the dosage of morphine or whatever, but of nurses who are blamed for this subsequently committing suicide."

More on this story

Related Internet links

The BBC is not responsible for the content of external Internet sites