Federal officials have issued a warning, saying that certain medical devices are vulnerable to hacking.
When you think of devices that can be hacked, drug pumps probably don't come to mind. After all, for what reason would a hacker even want to target devices such as this? It wouldn't offer any monetary gain like the buying and selling of credit cards on the black market. Nonetheless, there's a growing concern about the security risks of using medical devices like drug pumps.
One particular pump has caught the attention of officials: the Hospira Symbiq infusion pump. This device, commonly used in hospitals, is designed to administer drugs intravenously to patients. It's connected to a larger computer system which allows doctors and nurses to change both the type of drug, as well as the dosage, that the patient receives. If hacked, however, federal officials say patients could be given different drugs with altered dosage.
The good news is that no cases have been reported involving the Symbiq being hacked (nor any other medical device for that matter). However, officials say it can be done. Cybersecurity expert Billy Rios told reporters that pretty much anyone can log into the device without any special type of credentials. There are no usernames or passwords associated with the Symbiq pump, creating a serious gap in security.
“By design, you're allowing it to where someone else can control this thing remotely and do things to the pump, or do things to the device or equipment,"said cybsecurity expert Billy Rios in an interview with CBS News. "You could basically log into this device with no user name and no password."
Of course, this is just one of the many medical devices that are vulnerable to hacking. Doctors and other individuals in the medical profession should take a proactive approach towards protecting their devices and their patients' privacy. Just because a device is available for sale on the market doesn't necessarily mean that it's acceptable to use.
Under the Health Insurance Portability and Accountability Act (HIPAA), covered entities must implement meaningful and appropriate measures to prevent unauthorized access of Protected Health Information. If a hacker were to access a medical device on which PHI is contained, the healthcare practice could be cited for a HIPAA violation if it failed to implement the necessary safeguards.