For years, companies have been connecting medical devices to the internet, allowing everything from hospital machinery to consumer products to do more, and faster.

What could go wrong?

A lot, cybersecurity experts say. Though actual instances of hacking, as far as industry and experts know, have yet to occur, the medical-device industry and hospitals are way behind when it comes to guarding against these threats, they say.

The longtime subject of concern flared up again this week, after Johnson & Johnson said its (JNJ) Animas OneTouch Ping insulin pump could be hacked using sophisticated equipment. The company said the risk was “extremely, extremely low” and urged consumers to continue using their devices.

Insulin pumps’ hacking vulnerabilities have featured prominently over the years because of their wireless connections and limited security features, including products by Medtronic (MDT) and Insulet (PODD)

But cybersecurity vulnerabilities extend beyond insulin pumps to virtually all medical devices connected to a network, including CT imaging and radiology machines and devices implanted in the body such as pacemakers and other machines with liver or dialysis functions, said Mick Coady, health information and privacy security partner at PwC.

“From a cyber perspective, the manufacturers themselves are in an awkward position, because the [research and development] lifecycles haven’t been inclusive of thinking about security when making the devices,” Coady said.

Embed

New draft guidelines early this year from the Food and Drug Administration advise companies on strategies for avoiding medical devices’ cybersecurity risks. But some critics have noted the guidelines’ voluntary nature and said the draft doesn’t go far enough.

Read: J&J warns insulin pump vulnerable to cyber hacking

Watch: Medical Devices Are Vulnerable to Cyberattack

But what could hackers do with access to medical devices? A common focus of cybercrime — stealing personal information and trying to monetize it — could be readily adapted to the device space, according to Michael Kaiser, executive director of the National Cyber Security Alliance.

Hackers could gain access to all kinds of medical devices, cybersecurity experts told MarketWatch.© Provided by Dow Jones & Company, Inc. Hackers could gain access to all kinds of medical devices, cybersecurity experts told MarketWatch.
Devices could also be co-opted to harm select individuals. Though the concept occurs far less commonly in general cybersecurity, according to Kaiser, it has featured in high-profile instances, both in real life and on TV.

While in office, former vice president Dick Cheney had his defibrillator’s wireless component disabled, fearing a terrorist’s interference with the device.

Elected officials haven’t fared as well in fiction: On an episode of “Homeland,” the vice president was killed after his pacemaker was hacked.

Related: Rudy Giuliani compares cybersecurity to cancer and hackers to the Mafia

There have also been predictions of ransomwear, in which hackers threaten the device in an effort to get paid. The risk could be either to a company or an individual, particularly specific high-profile or wealthy people, Kaiser said.

Hackers could say to a large medical device manufacturer, “‘I have the ability to turn off every insulin pump you’ve ever created, unless you pay me x millions of dollars,’” he said.

“You have to assume the bad guys are going to exploit weaknesses in every way they can, and probably in some ways that we can’t imagine now,” Kaiser said.

Read: The ‘mind-boggling’ risks your city faces from cyber attackers

Though he does think that health-care players are “very limited” in their approach to cybersecurity, Coady said those risks have to be balanced against realism about the complexity of hacking into devices on a large scale — such that the same ends could probably be achieved in easier ways.

Considering cybersecurity early in the manufacturing process is critical, Kaiser said. But it requires companies to invest in infrastructure and think about cybersecurity in the long term, over the course of a medical device’s use.

Device manufacturers and hospitals haven’t been able to agree about who is responsible for device security in the long term, Coady said. Though not exactly leading the pack, manufacturers are actually ahead of hospital providers here, he said.

http://www.msn.com/en-us/news/other/...you/ar-BBxbwL1