The security flaws with these devices led Scott Erven of Essentia Health to conduct a two-year study on devices in use at the company’s healthcare facilities and the potential for remote hacking. The results, published in Wired magazine, were quite surprising:

  • Drug infusion pumps could be remotely accessed via unauthorized use to change dosages.
  • Bluetooth-enabled defibrillators could be hacked to deliver random shocks or prevent necessary shocks.
  • X-rays lacked secure access measures.
  • Temperature settings on refrigerators storing blood and drugs could be reset. Electronic health records could be changed, leading to misdiagnosis, incorrect drug prescribing, or unnecessary treatment.
  • Many medical devices with web interfaces lacked password protection or had weak or universal passwords.4

In October 2014, the FDA issued their final guidance document “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices; Guidance for Industry and Food and Drug Administration Staff” that called for manufacturers to develop a set of cybersecurity controls to assure medical device functionality and safety during the design and development stages (a proactive, rather than reactive) measure.5 However, the FDA highlighted that balancing security with medical device functionality would be challenging. The previous GAO report stated that mitigating security risks could affect the performance of the devices, such as limiting battery life with newly implemented controls. The FDA included this in their final guidance document and urged that “security controls should not unreasonably hinder access to a device intended to be used during an emergency situation.” The agency concluded with the recommendation that medical device manufacturers provide justification in the premarket submission for the security functions chosen for their medical devices. In comparison, the agency’s draft guidance “General Wellness: Policy for Low Risk Devices” that was issued in January 2015 does not require low risk products like fitness trackers/wearables or apps to monitor daily energy expenditure and caloric intake to have similar security measures.6