People With Insulin Pumps and Pacemakers Should be Terrified of Hackers

The FDA isn't doing enough to stop medical-device hacking.
June 12, 2017, 7:09pm
Peter Dazeley/Getty Images

Imagine being at dinner with a friend. The food is good, the conversation riveting. The check is on its way. But as you look up from your food, you realize your friend looks pale, maybe even a little jittery. "I feel sick," he says. "My heart is beating so fast."

As he gets up from the table, he collapses. He lies unresponsive on the floor, his limbs rhythmically twitching. Meanwhile, across the restaurant, another customer has already signed his bill and is ready to leave. With chaos everywhere, he can walk away knowing he hacked your friend's insulin pump. With a push of a button, he gave your friend a life-threatening dose of insulin, causing his blood sugar level to crash.


A few weeks ago, the Wannacry ransomware attack targeted more than 200,000 computers. Users around the world received messages demanding money to access their own data. If the ransom was not paid within seven days, the messages warned, their data would be deleted. Medical institutions were included in the attacks, and not for the first time.

Most hospital security efforts have been aimed at protecting electronic medical records, which contain valuable personal information. Less attention has been paid to protecting medical devices. From insulin pumps to pacemakers, these instruments help keep patients alive. And in recent years, they have increasingly become connected to larger electronic health networks to allow doctors to monitor and adjust their function remotely.

This is worrying. The lack of attention paid to the devices' protection means they often have weak security features. This makes them an appealing target for digital thieves. By compromising just one device, a hacker could penetrate an entire electronic health network. Valuable personal information would be at risk.

A more nefarious intruder could cause bigger problems. He or she could change a given device's settings and affect the way it works, or disable the device until the patient pays a ransom. Either way, a life would be threatened.

More From Tonic: I Got My Head Tattooed to Make My Hair Look Thicker

None of this is fantasy. In 2011, a security researcher hacked his own insulin pump with just a USB stick. In 2016, researchers showed they could do the same with an implanted pacemaker.

The WannaCry attack struck medical devices as well. Doctors use Bayer's Medrad Power Injection System to inject a substance called contrast into the veins of patients undergoing medical scans. (Contrast improves the quality of these images and remains in patients' bodies anywhere from a few hours to a week, depending on the type of contrast used and how well a patients' kidneys work.) In the United States, users of one such Medrad device saw the same message as users of affected computers across the world—the device would not work until its user paid the ransom.


To minimize the chaos that such an attack would create, medical leaders and policymakers will need to act quickly. Thankfully, there are steps they can take to help protect human lives. The Food and Drug Administration (FDA) issued guidance on managing cybersecurity for new devices in 2014, and existing devices in 2016. Among other things, the 2014 document asks medical device manufacturers for their rationale in including certain security features in their products and their plans for future software updates prior to a product's approval. It also advises them to incorporate cybersecurity features throughout the product development process, rather than just at the end. The 2016 document explicitly allows them to fix any vulnerabilities in products already on the market without having to go through the approval process again.

These standards are a step in the right direction. They focus the attention of medical device manufacturers on the issue of security. They ask them to think through their decisions. And most importantly, they allow them to fix any flaws they discover after a product is released without punishment. If faithfully followed, these standards would help decrease the risk of a crippling future medical device attack.

As it stands now, however, these standards are non-binding. That needs to change—the status quo leaves too much of the burden of cybersecurity on medical device manufacturers. As companies, they are ultimately driven by financial incentives. Unfortunately, profits may not always encourage the development of effective security protections, which require time and labor. We should not put manufacturers in a position where it might be tempting to cut corners to save on costs.

For that reason, the FDA's guidance should be binding. New products that do not live up to these standards should not be approved, while older ones should be removed from the market and replaced immediately. For those products that cannot be easily removed, software patches should be released as soon as possible.

These efforts will no doubt cost money, and opponents of government regulation may well be philosophically opposed to them. But as recent events have shown, the problem of hacking in the medical community will not simply go away. If we are to counter this emerging threat, we must address the weakest points of the system, like medical devices, that hackers will inevitably target. The United States was largely spared from the worst of the Wannacry attack. But we might not be so lucky next time.

Kunal Sindhu will be a resident physician at Mount Sinai in New York starting in July. Read This Next: Why Ketamine is the Best Drug on Earth