The Homeland Security Department warned about a cybersecurity flaw for one manufacturer's implantable heart devices that it said could allow hackers to remotely take control of a person's defibrillator or pacemaker.
The government advisory said security patches will be rolled out automatically over months to patients with a device transmitter at home, as long as it is plugged in and connected to the company's network. The transmitters send heart device data back to medical professionals.
The Food and Drug Administration said there was no evidence patients were harmed. The FDA's review is ongoing, agency spokeswoman Angela Stark said. Its investigation confirmed the vulnerabilities of the home transmitter, which could potentially be hacked and used to rapidly deplete an implanted device battery, alter pacing and potentially administer inappropriate and dangerous shocks to a person's heart.
Similarly, Johnson & Johnson has told patients that it has learned of a security flaw in one of its insulin pumps that a hacker could exploit to overdose diabetic patients with insulin, though it describes the risk as low.
"Your average patient isn't going to be targeted by assassins," said Matthew Green, an assistant professor for computer science at Johns Hopkins University. "An attack on this level is low-probability but very high-impact." He called it "probably the most impactful vulnerability I've ever seen."
Green said many of the more severe vulnerabilities identified for the devices themselves have not been fixed, but new software would make the home system a little more secure.