Hacking into a Remote-Controlled Medical Device is Not Science Fiction Anymore

Exactly 20 years ago, in late July 1995, Hollywood movie, The Net was released with Sandra Bullock in the lead role. The movie led to many predictions such as widely available wireless internet, interconnected information portals, even online pizza ordering (Pizza Hut and Dominos it seems like got their idea for online order from that movie). In one of the scenes, Dennis Miller’s character was killed by the villain hacking into his medical records and changing his prescription. At that time, it seemed outrageous. In his review of the movie, Roger Ebert wrote that the plot was too “concocted’ for him to care for it. We all know that most of the above are mundane tasks these days. Medical records are increasing online and on cloud, more and more medical devices are remotely controlled via Bluetooth and internet connected software. Cybersecurity of medical software is a valid concern and FDA is working rapidly to update its policies to regulate software. In a first of expectedly many such incidences,
 FDA issued a warning for a medical device connected to internet due to hacking concerns.  Hospira’s Symbiq Infusion System is used to infuse drugs into patients in a hospital setting. This device can be accessed remotely via computer network at a given hospital allowing a malicious hacker to change the dose of the infused drug. Although FDA claims no such hacking has been reported, the potential of bodily harm is so enormous that FDA issued an emergency alert to all hospitals using this medical device to unplug the device from network, and take additional measures to avoid intentional or unintentional network access to the device. Hospira too released its own
 warning to all its customers and infusion pump users to immediately take precautions. This event raises a new level of concern for network connected devices. The risk is very real with so many network-enabled information systems and medical devices. We live in a new world where malicious hackers could access our medical records, alter how our medical devices work by tinkering with the software controlling them, and expose us to vulnerabilities previously unknown. FDA has involved the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to help deal with such issues. This is a national security issue. We cannot reverse the advancement in technology and negate the benefits of wireless devices. We should expect more stringent rules and guidance documents describing controls to be implemented to protect patients very soon.