While medical devices have yet to be a main subject of hackers’ attacks, a group of U.S. lawmakers want to address the concern before the problem arises.
The interest in medical device hacking stemmed from security researcher Jeremy Radcliffe’s demonstration where he hacked his own insulin pump.
Medical Device Security Center researchers also hacked pacemakers and defibrillators using wireless methods in 2008, InformationWeek reports.
Groups such as the Information Security and Privacy Advisory Board have recently proposed that the Food and Drug Administration address medical device security before devices are sold.
The board issued a letter to the Office of Management and Budget March 30, where chairman Daniel J. Chenok said the government should make one agency responsible for overseeing medical device cybersecurity.
Chenok said the National Institute of Standards and Technology should work with the FDA to research cyber features that would be enabled by networked devices in federal settings.
The group also suggested that software features should be built into the devices when purchased, instead of having to download them.
Reps. Anna Eshoo (D.-Calif.) and Edward Markey (D.-Mass.) asked the Government Accountability Office to prepare a report on the matter and that report is expected to be ready by July.
Researchers have been able to tap medical devices wirelessly, but the FDA has yet to receive any reports about patient safety incidents resulting from hackers.
However, the Department of Veterans Affairs had 173 reported incidents of malware infected medical devices from January 2009 to Spring 2011. VA responded by using virtual local area networks to isolate 50,000 devices, the report said.
Purdue and Princeton University researchers recently developed a prototype of a firewall that could be used to protect medical devices from outside interferences.
MedMon monitors device communications and can send out block signals when it detects abnormalities. MedMon developer Niraj Jha said medical device hacking risk is low, but it is still necessary to implement some sort of security measure.