FDA Issues Warning On Certain Cardiac Device Security Issues
In 2015, the FDA issued warnings about a pair of infusion pumps – “smart” medical devices that had demonstrated security flaws. It was the first time in history that security researchers demonstrated that a hacker could take control of these life-saving devices remotely and use them to kill the patients they were protecting.
Since that time, we’ve witnessed a breathtaking increase in the size of the IoT (Internet of Things). It is poised to surpass the combined size of internet-connected PCs and smartphones later this year, and there’s no end in sight to its phenomenal growth.
The problem is that PCs and smartphones are several orders of magnitude more secure than virtually every internet object in use today. Most of them lack even the most basic of security protocols, and what’s worse is that the companies that manufacture them have shown almost a complete lack of interest in changing that.
It’s a problem in general because hackers are enslaving them almost as fast as they come online, and they’re assembling botnets of unprecedented size. The botnets are being used to launch Denial of Service attacks capable of knocking companies offline, or, as was painfully demonstrated late last year, taking down much of the US’s internet.
The problem is even worse where medical devices are concerned, because once control is gained, the hacker controlling the device can quite literally kill the patient it’s hooked up to.
Another warning was issued in 2016, this time about a pair of smart cardiac devices made by St. Jude Medical.
The company initially denied that the hack was possible, but later reversed its opinion. There’s some ongoing infighting about the way the hack information was released, but this latest warning has spurred the FDA to begin the process of drafting new rules establishing minimum acceptable security standards for smart medical devices.
The hope is that these standards will permeate the industry, and that more equipment manufacturers will begin taking steps to bolster security of these devices we are increasingly relying on.