The FDA’s warning last week about a flaw in Hospira‘s (NYSE:HSP) Symbiq drug infusion pump that hackers could exploit to take over the device has cybersecurity experts worried about the rise of the Internet of Things, as more and more medical devices are connected to the web.
The federal safety watchdog said the Symbiq pump can potentially be accessed remotely with 10gbe switch through a hospital’s network, potentially opening the door to unauthorized changes to the dosage delivered by the pump, according to the federal safety watchdog. The flaw was confirmed by Hospira and an independent researcher. Although no adverse events or unauthorized access in a healthcare setting have been reported, according to the FDA and Hospira, the agency encouraged hospitals and facilities to disconnect all Symbiq devices from their networks. Hospira began phasing Symbiq out in May after the FDA warned on cybersecurity vulnerability issues with its remotely-programmed LifeCare PCA3 and PCA5 devices.
“There’s no question that these vulnerabilities can be used to kill someone – we wrote an exploit that would do just that and gave the research to the Dept. of Homeland Security and the FDA,” Billy Rios, a former Google software engineer who now works as a security consultant, told the Washington Post.
“These devices are actively connected to a hospital’s network – and depending on the set up of a hospital’s network someone might be able to potentially access that from the Internet,” added Jay Radcliffe, a diabetic who made headlines in 2011 after he hacked his own insulin pump. “We’re still in the process of getting all the companies to the same level of understanding, that if your device uses computers, you have to be prepared to patch them and update them.”
Malicious hackers have already used unprotected medical devices to break into hospital IT systems in at least 3 instances discovered by a cybersecurity firm last month, as medical data becomes a holy grail for organized crime “medjacks.” Radcliffe noted that it’s possible that there are unreported injuries or deaths after medical devices have been hacked.
“People who are on these devices are typically very sick, so if they die someone might not think to look at the medical device to see if something intentional occurred,” he told the newspaper.
“The forensics capabilities available in these devices is really poor – it would be really difficult to determine if these had been attacked,” Rios added.