The US Department of Homeland Security is investigating about two dozen cases of suspected cybersecurity flaws in medical devices, according to a senior official.
An infusion pump from Hospira and implantable heart devices from Medtronic and St Jude Medical are among the products under review by the agency's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), according to others familiar with the cases who asked not to be identified because the probes are confidential.
The agency is concerned that hackers may try to gain control of the devices remotely to carry out attacks such as instructing an infusion pump to overdose a patient with drugs or forcing a heart implant to deliver a deadly jolt of electricity, the sources said, though they added that the cyber-threat should not be overstated as there no know instances of such attacks.
The senior DHS official told Reuters the agency is working with manufacturers to identify and repair software coding bugs and other vulnerabilities that hackers can potentially use to expose confidential data or attack hospital equipment. He declined to name the companies.
"These are the things that shows like 'Homeland' are built from," said the official, referring to the US television spy drama in which the fictional vice president of the United States is killed by a cyber-attack on his pacemaker.
"It isn't out of the realm of the possible to cause severe injury or death," said the official, who did not want to be identified due to the sensitive nature of his work.
Hospira, Medtronic and St Jude Medical declined to comment on the DHS investigations. All three companies said they take cyber-security seriously and have made changes to improve product safety, but declined to give details.
According to the senior DHS official, the agency started examining healthcare equipment about two years ago, when cyber-security researchers were becoming more interested in medical devices that increasingly contained computer chips, software, wireless technology and Internet connectivity.
The senior DHS official said the two dozen cases currently under investigation cover a wide range of equipment, including medical imaging equipment and hospital networking systems, with the agency looking into suspected vulnerabilities to try to help the manufacturers rectify them.
One of the cases involves an alleged vulnerability in a type of infusion pump, a piece of hospital equipment that delivers medication directly into a patient's bloodstream. Private cyber-security researcher Billy Rios said he discovered the alleged bug but declined to identify the manufacturer of the pump. Two people familiar with his research said the manufacturer was Hospira.
Rios said he wrote a program that could remotely force multiple pumps to dose patients with potentially lethal amounts of drugs. He submitted his analysis to the DHS.
"This is a issue that is going to be extremely difficult to patch," said Rios, a former Marine platoon commander who has worked for several Silicon Valley technology firms and recently founded security start-up Laconicly.
Hospira spokeswoman Tareta Adams, while declining to comment on specifics, said the company is working to improve the security of its products.
"Hospira has implemented software adjustments, distributed customer communications and made a commitment to evaluate other changes going forward, while ensuring we are not adversely impacting the ability of our devices to meet hospital and patient needs, and maintain compliance with FDA product requirements," Adams said in the statement.
The DHS is also reviewing suspected vulnerabilities in implantable heart devices from Medtronic and St Jude Medical, according to two people familiar with the matter.
They said the probe was based in part on research by Barnaby Jack, a well-known hacker who died in July 2013. Jack had said he could hack into wireless communications systems that link implanted pacemakers and defibrillators with bedside monitors.
Medtronic spokeswoman Marie Yarroll said in an email that the company has "made changes to enhance the security" of its implantable cardiac devices, but declined to give specifics "in the interest of patient safety."
St. Jude Medical spokeswoman Candace Steele Flippin also declined to discuss specific products but said the company has "an ongoing program to perform extensive security testing on our medical devices and networked equipment. If a risk is identified, we will issue patches for any known issues."