The absence of reported hacks on medical devices doesn't mean they aren’t happening, experts say, because there are no mechanisms in place to detect them.
The FDA has made medical device cybersecurity a high priority, even as it stresses that there have been no reported incidents of malicious medical device hacks or of patients harmed by a security-related issue.
But that assurance is based more on assumption than fact, experts say. And other evidence gathered in real-world healthcare environments suggests that the lack of cybersecurity reports at the FDA is more suspicious than comforting.
"I think we're making a reasonable assumption that [malicious hacking] hasn't happened, but it's not based on any empirical evidence one way or the other," Codenomicon medical security global director Mike Ahmadi told MassDevice.com in an in-depth interview. "It may have happened."
Experts like Ahmadi, whose company is helping to provide the tools for the FDA's newly announced "cybersecurity lab," temper their remarks by explaining that the risks of a medical device hack pale in comparison to the devices' life-saving benefits. But they also want patients to be aware of the risks, however small they may prove to be.
"I hear this argument all the time, from vendors especially, that it hasn't happened yet, that it isn't really a security concern," medical device hacker and cybersecurity expert Jay Radcliffe told us after his recent presentation at the Black Hat cybersecurity conference in Las Vegas. "Does that mean we should just ignore it?"
Absence of evidence is not evidence of absence