Medical Device Cyber Attacks: TV Plot or Dangerous Reality?

Fact-Checked

Editors carefully fact-check all Drugwatch content for accuracy and quality.

Drugwatch has a stringent fact-checking process. It starts with our strict sourcing guidelines.

We only gather information from credible sources. This includes peer-reviewed medical journals, reputable media outlets, government reports, court records and interviews with qualified experts.

Stethoscope on a computer keyboard

You may have watched it on “Grey’s Anatomy” or “The Resident”: A cyberattack shutting down millions of dollars’ worth of critical equipment, leaving lives in danger.

It’s not a far-fetched storyline. These episodes are merely fictionalized versions of an increasingly common fact: hackers are already carrying out successful attacks on medical devices in hospitals. And personal medical devices could be next.

The U.S. Food and Drug Administration warned patients and doctors in 2019 of an insulin pump recall due to cybersecurity risks. The agency also sent out a warning letter in 2017 after it found that certain implanted heart devices could be hacked through their home monitoring systems.

The FDA has spent more than a decade trying to stay on top of the growing number of connected devices as well as the growing risk of cyberattacks on those devices. The efforts culminated with new guidance in 2018, but it is still being tested in the real world.

Hospital Attacks Reveal Health Care Cybersecurity Risks

Hospitals are highly profitable targets for hackers using ransomware. These computer viruses are just what they sound like. They shut down a hospital’s computer network and online medical devices until the hospital pays a ransom.

The attacks target thousands of businesses at a time and the ransoms are relatively small, making it more likely that hundreds of victims will pay up. Hackers may use a barrage of emails and phishing scams to trick just one employee to click on a link that downloads ransomware onto the hospital’s whole network. Cybersecurity experts say the virus may remain hidden for 18 months before it’s found or activated.

In 2016, the SamSam ransomware attack forced Washington, DC- and Maryland-based MedStar Health to shut down operations in 10 hospitals and 250 outpatient centers. Hackers demanded a $19,000 ransom paid in Bitcoin. MedStar refused to pay and suffered days of disruptions until it could repair its network.

Indiana-based Hancock Health was hit in the same ransomware attack. It paid $55,000 to get the hackers to return control of its network. MedStar, Hancock and other targets suffered more than $30 million in losses in the SamSam attack. But federal agents were able to indict two men behind them.

Personal Medical Devices Are Increasingly Vulnerable

Software issues, including security gaps, were the leading cause of medical device recalls for 11 straight quarters through the end of 2018, according to the Stericycle Recall Index. Software problems accounted for 79 medical device recalls in the last three months of 2018 alone.

The FDA has identified software vulnerabilities that could let hackers take advantage of personal medical devices dating back as far as 2008.

In June 2019, the agency identified cybersecurity problems with some Medtronic MiniMed insulin pumps used to control diabetes. The vulnerability could let someone to take control of the pump through other devices that connect to the pump over a wireless connection. They could hit the owner with either too much or too little insulin, debilitating or killing the patient.

At least 11 models of the MiniMed pumps were recalled. The FDA said it was not aware of anyone having exploited the vulnerability.

“Any medical device connected to a communications network, like Wi-Fi, or public or home Internet, may have cybersecurity vulnerabilities that could be exploited by unauthorized users.”

Dr. Suzanne Schwartz, Center for Devices and Radiological Health

In 2016, the FDA sent out a warning letter about home monitoring systems for implanted defibrillators. It warned that hackers could use the monitors to control the owners’ heart devices.

The monitors were made by St. Jude Medical, a device manufacturer not associated with the similarly named children’s research hospital. The FDA allowed the Merlin@home monitors to remain on the market, saying the monitoring outweighed any cybersecurity risks.

The following year, the company recalled 465,000 pacemakers that may have had other security flaws.

“Any medical device connected to a communications network, like Wi-Fi, or public or home Internet, may have cybersecurity vulnerabilities that could be exploited by unauthorized users,” the FDA’s Suzanne Schwartz said in a statement.

But she added that wireless technology and software in medical devices can also offer safer and timelier health care.

FDA Rolls Out a Cybersecurity “Playbook” to Head-Off Medical Device Hacks

In 2018, the U.S. Food and Drug Administration released a playbook to help health care providers prepare for and respond to medical device cybersecurity issues. The guidelines were co-authored by the nonprofit MITRE Corporation.

“Of particular focus are threats or vulnerabilities that have the potential for large-scale, multi-patient impact and raise patient safety concerns,” the authors wrote in describing its scope.

It’s a game plan for device makers, hospitals and other health care providers to act quickly to minimize problems. But it doesn’t address what an individual patient hit with a cyberattack should do.

The FDA issued its first guidelines on cybersecurity standards for the medical device industry in 2005. It ramped up its cybersecurity program in 2013 with a working group that focused on new cybersecurity dangers.

But the agency has had to scramble just to keep up with changing and emerging threats. In 2008, researchers first used radio signals to trigger an implantable defibrillator into sending potentially fatal electrical shocks.

“The FDA isn’t aware of any reports of an unauthorized user exploiting cybersecurity vulnerability in a medical device that is in use by a patient. But the risk of such an attack persists.”

Scott Gottlieb, FDA Commissioner

That same year, the Department of Veterans Affairs began tracking malware found in medical devices. By mid-2016, the VA had recorded 181 cases of infected medical devices.

The FDA has overseen cybersecurity recalls-based hacking concerns since at least 2015. And it believes it’s been able to catch cybersecurity flaws in medical devices before hackers found them. At least, so far.

“The FDA isn’t aware of any reports of an unauthorized user exploiting a cybersecurity vulnerability in a medical device that is in use by a patient,” then-FDA Commissioner Scott Gottlieb said in a 2018 statement.

But he went on to warn that the “risk of such an attack persists.”

  •  
  •  
  •  
Terry Turner
Written By Terry Turner Writer

Terry Turner has been writing articles and producing news broadcasts for more than 25 years. He covers FDA policy, proton pump inhibitors, and medical devices such as hernia mesh, IVC filters, and hip and knee implants. An Emmy-winning journalist, he has reported on health and medical policy issues before Congress, the FDA and other federal agencies. Some of his qualifications include:

  • American Medical Writers Association (AMWA) and The Alliance of Professional Health Advocates member
  • Centers for Disease Control and Prevention Health Literacy certificates
  • Original works published or cited in Washington Examiner, MedPage Today and The New York Times
  • Appeared as an expert panelist on hernia mesh lawsuits on the BBC
Edited By

14 Cited Research Articles

  1. Accenture. (2015). The $300 Billion Attack: The Revenue Risk and Human Impact of Healthcare Provider Cyber Security Inaction. Retrieved from https://www.accenture.com/_acnmedia/PDF-54/Accenture-Health-Cybersecurity-300-Billion-at-Risk.pdf
  2. Carlson, J. (2017, April 12). FDA Sends St. Jude a Warning Over Two High-Profile Device Issues. Retrieved from http://www.startribune.com/fda-criticizes-st-jude-for-lapses-in-two-high-profile-device-issues/419317644/
  3. Carlson, J. (2018, September 12). FDA to Bolster Cybersecurity of Medical Devices. Retrieved from https://www.northbaybusinessjournal.com/northbay/sonomacounty/8732344-181/fda-cybersecurity-medical-devices
  4. Eichensehr, M. (2018, November 29). MedStar Lauds Federal Investigators After Hackers Indicted for 2016 Ransomware Attack. Retrieved from https://www.bizjournals.com/baltimore/news/2018/11/29/medstar-lauds-federal-investigators-after-hackers.html
  5. Matthews, L. (2018, November 28). Ransomware Attack Disrupts Emergency Services at Ohio Hospital. Retrieved from https://www.forbes.com/sites/leemathews/2018/11/28/ransomware-attack-disrupts-emergency-services-at-ohio-hospital/#2cdc487b2254
  6. Muoio, D. (2018, October 1). FDA Unveils Cybersecurity Attack Response Playbook for Medical Devices. Retrieved from https://www.mobihealthnews.com/content/fda-unveils-cybersecurity-attack-response-playbook-medical-devices
  7. Rosenblat, S. and Kolb, P. (2018, September 18). Ransomware Attacks Against Hospitals: A Timeline. Retrieved from https://the-parallax.com/2018/09/18/hospital-ransomware-attacks-timeline/
  8. Slabodkin, G. (2018, October 2). FDA Issues “Playbook” to Providers for Medical Device Cybersecurity. Retrieved from https://www.healthdatamanagement.com/news/fda-issues-playbook-to-providers-for-medical-device-cybersecurity
  9. Stericycle Expert Solutions. (2019). Recall Index: Q4 2018. Retrieved from https://www.stericycleexpertsolutions.com/wp-content/uploads/2019/02/ExpertSolutions-RecallIndex-Q42018-web.pdf
  10. U.S. Food and Drug Administration. (2017, October 18). Cybersecurity Vulnerabilities Identified in St. Jude Medical's Implantable Cardiac Devices and Merlin@home Transmitter: FDA Safety Communication. Retrieved from https://www.fda.gov/medical-devices/safety-communications/cybersecurity-vulnerabilities-identified-st-jude-medicals-implantable-cardiac-devices-and-merlinhome
  11. U.S. Food and Drug Administration. (2018, October 1). Statement from FDA Commissioner Scott Gottlieb, M.D. on FDA’s Efforts to Strengthen the Agency’s Medical Device Cybersecurity Program as Part of Its Mission to Protect Patients. Retrieved from https://www.fda.gov/news-events/press-announcements/statement-fda-commissioner-scott-gottlieb-md-fdas-efforts-strengthen-agencys-medical-device
  12. U.S. Food and Drug Administration. (2019, June 27). Cybersecurity. Retrieved from https://www.fda.gov/medical-devices/digital-health/cybersecurity
  13. U.S. Food and Drug Administration. (2019, June 27). FDA Warns Patients and Health Care Providers About Potential Cybersecurity Concerns With Certain Medtronic Insulin Pumps. Retrieved from https://www.fda.gov/news-events/press-announcements/fda-warns-patients-and-health-care-providers-about-potential-cybersecurity-concerns-certain
  14. Wetsman, N. (2019, April 4). Health Care’s Huge Cybersecurity Problem. Retrieved from https://www.theverge.com/2019/4/4/18293817/cybersecurity-hospitals-health-care-scan-simulation
View All Sources
Who Am I Calling?

Calling this number connects you with one of Drugwatch's trusted legal partners. A law firm representative will review your case for free.

Drugwatch's sponsors support the organization’s mission to keep people safe from dangerous drugs and medical devices. For more information, visit our sponsors page.

(888) 645-1617