October 2019

Hacking of Pacemakers and Other Implanted Devices

On October 1, the Federal Drug Administration (FDA) issued a warning about the so-called URGENT/11 cybersecurity flaws that leave certain Wi-Fi-enabled medical devices vulnerable to being remote-controlled by hackers, such as cardiac pacemakers, implantable cardioverter defibrillators (ICDs) or insulin pumps.

The FDA indicated that devices potentially at risk are those utilizing IPnet, a decades-old software application that enables wireless networking. According to the statement, a successful cyberattack could allow a hacker to remotely change a device’s function, cause a denial of service, information leak or logic flaw that could lead the device to malfunction.

Although there have been no reports of such cyberattacks, the FDA pointed to a health risk for patients using one of the affected devices and advised healthcare providers to notify patients of potential risks and address the issue in conjunction with patients and device manufacturers.

Because device manufacturers have incorporated an array of configurations to IPnet and its components, the Department of Homeland Security (DHS) is unable to compile a list of affected devices. Therefore, the DHS has advised manufacturers to evaluate and report to the FDA what, if any, cybersecurity risks are posed by their devices.

“This illustrates a scale of digital risk that could not have been foreseen at the time these devices were manufactured,” said Neil Gurnhill, CEO, Node International, London, England. “Companies need to develop these products with security at the forefront of their minds. This is a potentially life or death situation that companies cannot afford to get wrong.”Read More »Hacking of Pacemakers and Other Implanted Devices