Can My Medical Device Be Hacked? We Asked Experts

Increasing cyberattacks against healthcare organizations leave millions of patients with their data exposed and their lives endangered. Healthnews asked two experts if criminals can hack our personal medical devices, such as insulin pumps or pacemakers.

In September 2022, the U.S. Food and Drug Administration (FDA) warned that certain insulin pumps could allow unauthorized access to the pump system, which may cause the pump to deliver too much or too little insulin.

Experiments revealed similar vulnerabilities in various medical devices, ranging from a Wi-Fi baby heart monitor to an insulin pump, but there is little evidence of breaches in real life.

When former vice president Dick Cheney had his defibrillator replaced while still in office in 2007, the device had to be modified so it couldn't be hacked by terrorists who might try to kill him.

ADVERTISEMENT

However, it is unlikely that criminals would hack into an average American's insulin pump or other medical device, says Chad Holmes, a security evangelist at Cynerio, a cybersecurity company based in New York.

If you're the average American, those devices are going to give you much more care than the risk.

Chad Holmes

How to protect your medical device

Although the likelihood of having your glucose meter or pacemaker hacked is low, better be safe than sorry.

Dr. Eugene Vasserman, an associate professor at Kansas State University, recommends taking general precautions. For example, if the device is paired with a smartphone, protect it with a strong password and avoid installing apps you don't trust.

Make sure you're connecting to wireless networks that are password-protected and that you trust. Don't download stuff that could indirectly interact with the medical application component that's running on your phone and, therefore, prevent the medical device from functioning properly.

Dr. Eugene Vasserman

Eventually, the security of medical hardware is up to the manufacturer, Vasserman says. Therefore, the user should follow the manufacturer's instructions to ensure the device is configured correctly.

Holmes recommends doing basic research to understand what security features the device has and discuss the best way to protect it with your medical professional.

ADVERTISEMENT

He emphasizes the importance of understanding whether a device is connected to a network or when it is connected.

"If the device is connected to the internet, even if it is connected to your phone, make sure you understand when, how, and how frequently it is connecting. This will allow you to minimize the risk it may introduce," Holmes adds.

What are the signs my device is hacked?

One of the signs that your medical device has been hacked could be unusual activity, such as slowing down or displaying unexpected things, Vasserman explains.

He says any unusual behavior should be reported to the manufacturer, the only entity qualified to determine the cause of abnormal activity.

Other examples of unusual activity are the device becoming unresponsive or having more errors than it normally does, Holmes says.

He adds, "Any abnormal behavior could mean that the device just needs to be replaced, or it could be a sign that it has been compromised."

Organizations are under attack

While criminals are unlikely to hack individuals' medical devices, cyberattacks against healthcare facilities have been increasing at alarming rates, according to a 2022 report by Cynerio and the Ponemon Institute.

More than half (56%) of organizations experienced at least one cyberattack in the past 24 months involving medical devices connected to healthcare IT systems via Wi-Fi, the report reveals.

ADVERTISEMENT

Holmes explains that hackers aim to drive revenue by stealing patient data and selling it. They are trying to encrypt devices so they can demand and collect ransom, which usually ranges between $250,000 to $500,000.

One in four Americans had their health information exposed in 2023, according to an estimate by Cynerio, reaching an all-time high.

Stolen medical records may leave patients vulnerable to scams and identity theft, allowing criminals to buy pricey medical equipment or make fraudulent insurance claims in a victim's name.

Cyberattacks against healthcare institutions can also have grave health consequences. Holmes cites the Cynerio/Ponemon survey, where 24% of respondents saw mortality rates increase following cyberattacks.

Taking services offline may result in deferred treatments, longer hospital stays, and longer recovery time.

Holmes says, "Cyberattacks have a direct impact on health care, although they are not targeting individuals but broader hospitals. And they are going to continue because hackers are making a lot of money from them. We need to find a way to work together to secure our critical infrastructure better."

Key takeaways:

ADVERTISEMENT
ADVERTISEMENT

Leave a reply

Your email will not be published. All fields are required.