GAO Report: FDA Should Look Into Security Vulnerabilities for Medical Devices Like Insulin Pumps

Rep. Mike Honda

Photo by Chip Somodevilla/Getty Images

Last summer, hackers at the Black Hat security conference demonstrated a frightening possibility: that insulin pumps and other medical devices could be vulnerable to attacks and incursions.

Now the Government Accountability Office has weighed in on the issue. In a report released last week, the GAO asks the FDA to develop a strategy to address information security risks for insulin pumps, implantable defibrillators, and other medical devices. Just like websites, according to the experts the GAO consulted, these devices could be vulnerable to malware, unauthorized access, and denial of service attacks. “A denial-of-service attack could be launched using computer worms or viruses that overwhelm a device by excessive communication attempts, making the device unusable by either slowing or blocking functionality or draining a device’s battery,” says the report.  Medical data generated by the devices could be wiped or stolen; therapies could be altered—say, to make a pump release more insulin.

One big reason for the lack of security: Most, if not all, of these devices don’t actually require passwords. That may sound ridiculous, seeing as we’re used to plugging in passwords to perform such low-stakes activities as logging into a website commenting system. But it’s not so simple as turning on an authentication process, says the report. For one thing, a good security system could slow down medical treatment in case of an emergency. Furthermore, according to some, locking down the devices could sap batteries, and swapping out power supplies for an implantable defibrillator requires surgery. But others whom the GAO consulted said that technology has progressed to the point that it would not drain a battery too much to add an authentication process.

For a long time, the FDA had focused on unintentional threats to implanted medical devices—like interference from electromagnetic activity. But in response to the report, the agency says it has begun examining these potential security risks in earnest.

In other news of the FDA and new technologies, a new bill proposed by Rep. Mike Honda, D-Calif., would establish an Office of Mobile Health within the agency to evaluate apps that claim to provide health care of some sort. The Healthcare Innovation and Marketplace Technologies Act, Honda said in a statement, would help lower barriers to entry for startups in the health space.