Cybersecurity and Healthcare: Are Devices Getting Hacked?

January 18, 2017//Ellen Neveux

Last Updated: November 18, 2020

On August 25, 2016, the research firm Muddy Waters Capital LLC released a report calling for the recall and remediation of pacemakers produced by St. Jude Medical. The specific cybersecurity flaws outlined in the research include:

  • Concern that hackers could induce a “crash attack” that causes the device to malfunction and pace at a lethal rate
  • Caution that hackers located within 50 feet of an implanted device could trigger rapid battery drain

St. Jude Medical released security patches for their pacemaker devices following these findings. Does that mean the situation was resolved? Here is where the story grows more complex.

A tangled financial web
At the time of the allegations made by Muddy Waters, St. Jude was being acquired by Abbott Labs for approximately $25 billion. In September 2016, St. Jude filed a still-pending lawsuit charging the report was a manipulative effort to engineer an illegal financial windfall.  Concurrently, the Food and Drug Administration (FDA) initiated an inquiry into the Merlin@home Transmitter manufactured by St. Jude.

In December, the FDA released final guidance on the postmarket management of medical device cybersecurity. The document offers nonbinding recommendations for manufacturers of devices to implement comprehensive security protocols over the lifecycle of their products.

In January, the FDA took the step of detailing cybersecurity vulnerabilities it identified in the St. Jude device, essentially confirming concerns surfaced by Muddy Waters in 2016. Simultaneously, St. Jude released patches to its Merlin system to address those concerns.

Ongoing vulnerabilities
The economic, regulatory, and security issues surrounding St. Jude pacemakers highlight the urgent concern that many medical devices lack adequate electronic security and could be remotely hacked.  In October, global pharma and medical device manufacturer Johnson and Johnson took the unusual step of voluntarily informing approximately 114,000 patients that one of its older insulin pumps has a security vulnerability. The company offered workaround information on the defect.

The trend in use of mobile medical devices is escalating with no plateau in sight. The delivery of life- and cost-saving services like telemedicine and robotic surgery offers significant benefits – and challenges – to designers, manufacturers, vendors, and consumers.

According to the International Trade Administration, the United States leads the world in the production and consumption of medical devices, with a market value of more than $140 billion. The hacking of medical equipment still lies in potentia—no actual hack of a medical device has been reported.

However, imagine in the not-too-distant future a critical, personal medical device taken offline by ransomware.  The security of healthcare technology providers and their medical devices could very well become a matter of life and death.

About SecureLink

Our sole focus is secure third-party remote access. For highly regulated enterprise organizations, SecureLink Enterprise has pioneered a secure remote access platform. SecureLink for enterprise allows an organization to identify, control, and audit third-party vendors. For vendors, SecureLink is the gold standard remote access support platform because it is easy, efficient, and ensures compliance and reduces liability when supporting customers.

close close