On the Money

As cyberthreats multiply, hackers now target medical devices

Getty Images

Hackers can invade your bank account and steal your identity. So is there also a cyber threat to your health?

Earlier this month, Johnson & Johnson notified 114,000 diabetic patients that a hacker could exploit one of its insulin pumps. The J&J Animas OneTouch Ping could be attacked, disabling the device or altering the dosage.

J&J said the risk is extremely low, but suggested ways users could mitigate that risk. Could other medical devices, like infusion pumps and pacemakers, vulnerable to a malicious hacker?

"There is no [impervious] device," Kevin Fu told CNBC's "On the Money" in an interview, "pretty much every device that has a computer in it is breakable. "

Fu, who directs the University of Michigan's Archimedes Center for Medical Device Security, added that "the dirty little secret is that most manufacturers did not anticipate the cybersecurity risks when they were designing them a decade ago, so this is just scratching the surface really."

The OneTouch Ping is 8 years old, and J&J says newer models with encryption technology are harder to hack. However, it's not just a malicious hacker that can do damage to medical devices.

Fu tells CNBC something as simple as malware, ("malicious software") loaded onto a USB drive or coming through a network connection can infect hospitals and "cause havoc."

"The bigger issue is really the continuity of operations of the hospital system," Fu said, and whether "they withstand malware of ten years ago that still breaks into medical devices."

Fu added: "The more interesting question is not whether you can hack into a device, but how well do those devices tolerate the kind of threats that are just endemic to computing today and endemic to the internet."

That risk covers "all sorts of devices that are in the hospital," Fu said. He mentioned infusion pumps that are bedside devices in hospitals. Plus defibrillators and pacemakers, patient monitors, and radiation therapy machines.

According to security firm Symantec, healthcare providers spend an average of less than 6 percent of their information technology budget on security. That compares to financial and banking institutions, which doles out an average of more than 13 percent, and the federal government, which spends 16 percent of its IT budget on security.

Earlier this year, the U.S. Food and Drug Administration issued draft guidance to medical device manufacturers on how to address the evolving cyber threat.

In a written response, the FDA told CNBC they have "expanded the scope of its work in cybersecurity over the past several years. We have worked diligently to bring the health care community together to propose and implement shared solutions to addressing cybersecurity concerns," the agency added.

Fu acknowledged the FDA's work, but said far more needed to be done. "I think manufacturers will be improving, but it's not going to be an overnight fix."

Threat or no threat, Fu believes the benefits of advanced medical devices far outweigh the risk of any cyberattack.

"Personally, I think patients are far safer with these devices than not," he said. Still, "the patient should talk with their physician. The risk/benefit decision has to be made between the particular patient and the particular physician."

On the Money airs on CNBC Saturday at 5:30 am ET, or check listings for air times in local markets.