Healthcare cybersecurity: Hacking medical devices

In 2016, the research firm Muddy Waters Capital LLC released a report calling for the recall and remediation of pacemakers produced by St. Jude Medical. The specific healthcare cybersecurity flaws outlined in the research include:

  • Concern that hackers could induce a “crash attack” that causes the medical device to malfunction and pace at a lethal rate
  • Caution that hackers located within 50 feet of an implanted device could trigger rapid battery drain

St. Jude Medical released security patches for their pacemaker devices following these findings. Does that mean the situation was resolved? Here is where their story of hacked medical devices grows more complex.

A tangled financial web

At the time of the allegations made by Muddy Waters, St. Jude was being acquired by Abbott Labs for approximately $25 billion. In September 2016, St. Jude filed a still-pending lawsuit charging the report was a manipulative effort to engineer an illegal financial windfall.  Concurrently, the Food and Drug Administration (FDA) initiated an inquiry into the Merlin@home Transmitter manufactured by St. Jude. In December, the FDA released final guidance on the postmarket management of medical device cybersecurity. The document offers nonbinding recommendations for manufacturers of medical devices to implement comprehensive security protocols over the lifecycle of their products. In January, the FDA took the step of detailing cybersecurity vulnerabilities it identified in the St. Jude device, essentially confirming concerns surfaced by Muddy Waters in 2016. Simultaneously, St. Jude released patches to its Merlin system to address those concerns.

Ongoing vulnerabilities in healthcare cybersecurity

The economic, regulatory, and security issues surrounding St. Jude pacemakers highlight the urgent concern that many medical devices lack adequate electronic security and could be remotely hacked.  In October, global pharma and medical device manufacturer Johnson and Johnson took the unusual step of voluntarily informing approximately 114,000 patients that one of its older insulin pumps has a security vulnerability. The company offered workaround information on the defect. The trend in use of mobile medical devices is escalating with no plateau in sight. The delivery of life- and cost-saving services like telemedicine and robotic surgery offers significant benefits – and challenges – to designers, manufacturers, vendors, and consumers. According to the International Trade Administration, the United States leads the world in the production and consumption of medical devices, with a market value of more than $140 billion. The hacking of medical devices still lies in potentia—no actual hack of a medical device has been reported. However, imagine in the not-too-distant future a critical, personal medical device taken offline by ransomware.  The security of healthcare technology providers and their medical devices could very well become a matter of life and death.