Over 90 Total Lots Up For Auction at One Location - WA 04/08

Yes, Cheney's pacemaker cyber attack fears were credible

by Carol Ko, Staff Writer | October 24, 2013
Suzanne Schwartz, FDA
Former vice president Dick Cheney made headlines this week after admitting in a 60 Minutes interview that he disabled his pacemaker's Wi-Fi in 2007 to thwart terrorists who might try to hack into it and kill him.

Though this scenario sounds like something out of a science fiction movie (an episode of the Showtime series "Homeland" featured a similar plot line), it turns out these fears aren't unfounded.

In 2008, computer scientist Kevin Fu, now at the University of Michigan, demonstrated in a research lab that he could hack into a combination heart defibrillator and pacemaker to induce potentially fatal electric jolts.

Last year, researchers at computer security firm McAffee claimed they'd found a way to hack into an insulin pump to make it release 45 days worth of insulin in one go.

And finally, security analysts Terry McCorkle and Billy Rios of Cylance discovered a hard-coded password vulnerability affecting over 300 devices across 40 vendors that could be exploited to change critical settings or modify the device. They alerted the U.S. Food and Drug Administration to their findings.

Devices affected included ventilators, drug infusion pumps, external defibrillators, patient monitors, and laboratory and analysis equipment.

The agency took action by communicating with the vendors identified in the study and holding a stakeholder call in which their anonymity amongst each other was maintained.

However, it took some heat when it rebuffed hospital security officers' requests to access the list of implicated devices. "We were not going to give out that information publicly," said Suzanne Schwartz, director of emergency preparedness/operations & medical countermeasures at the CDRH/FDA, in a web conference call hosted by ECRI Institute.

Schwartz explained that if Rios and McCorkle had wanted to invest more effort, they could have identified thousands of more devices with similar vulnerabilities.

"The lesson is not to point fingers at one particular manufacturer or system but rather to view this as a call to action to keep our shops in order," she said.

Blame game

Of course, part of the problem with medical cybersecurity is that there's no single entity in charge of keeping those shops in order, so to speak.

In the past, hospitals and manufacturers have pointed fingers at each other for hampering cybersecurity efforts. Manufacturers claim that hospitals don't want to pay for it, while hospitals claim manufacturers don't provide devices they can secure.

You Must Be Logged In To Post A Comment