Medical devices next on hackers' target list?

April 5, 2010 by MassDevice

Hackers have already hijacked a patient support website for epileptics, MRI machines and electronic medical records. Are implantable medical devices next?

Medical devices next on hackers' target list?

Computer hackers have already hijacked medical targets, including MRI machines, electronic medical records systems and even a patient-support website for epileptics. Researchers writing in the New England Journal of Medicine are calling for improvements to the security and privacy of implantable medical devices.

Dr. William Maisel, a well-known cardiologist, and Tadayoshi Kohno of the University of Washington in Seattle, compared the current state of medical device security to the pharmaceutical supply chain in the early '80s in the April 2 issue of the NEJM. Citing the 1982 cyanide poisoning of Tylenol, which killed seven people, Maisel and Kohno wrote that medical devices "like the drug supply of a generation ago, face a security vulnerability that must be addressed through regulatory and scientific actions."

"We think medical device security should be improved before there is a widespread incident, rather than waiting for the incident to occur and then acting," Maisel wrote in an e-mail to MedPage Today. "It is very difficult to add on security after the fact."

Last year, a computer virus called Conficker infected hundreds of MRI devices around the world, including at dozens of U.S. hospitals. The virus caused the imaging machines to ask for instructions over the Internet, presumably from the hackers who created the virus. More than 300 devices, which the manufacturer says are not designed to connect to the web at all, were compromised via an unpatched version of a Microsoft operating system used in embedded devices.

The Food & Drug Administration may have inadvertently contributed to the hack. Normally, a simple patch installation would eliminate the vulnerability. But FDA rules require 90 days of notice before patches are installed. The Conficker virus infected thousands of other machines in hospitals — ranging from personal computers to sensitive medical devices.

In a separate incident last year, hackers claiming to have tapped a Virginia medical records database are demanding a $10 million ransom. The data were part of a program to track frequently abused drugs such as OxyContin and Vicodin. Hackers sabotaged an Epilepsy Foundation website, according to Maisel and Kohno, causing it to display flashing lights that induced seizures in some patients.