The Show on KJZZ

Listen live weekdays at 9 a.m.

Doctor-Hackers Raise Awareness Of Medical Device Vulnerabilities

Published: Monday, June 12, 2017 - 5:05am
Audio icon Download mp3 (1.68 MB)
(Image courtesy of
Some pacemakers are potentially vulnerable to wireless manipulation, according to security research.

Members of the medical and hacker communities are raising concerns about cybersecurity vulnerabilities affecting medical records, infrastructure and devices.

Experts have long warned of security flaws in medical devices — insulin pumps that can deliver deadly doses, for example.

Ransomware like the WannaCry virus — which shut down at least 16 hospitals in Great Britain, and which experts say could spread to devices — has taken those concerns from serious to critical, as Christian Dameff, an emergency medicine doctor at Maricopa Medical Center, explained.

“When thousands of patients have these devices — or even hundreds of thousands who interact with the health-care system are exposed — it’s clear that we need to do something about it,” Dameff said.

Dameff and pediatrician Jeff Tully of Phoenix Children’s Hospital — both “white hat” hackers and alums of the University of Arizona College of Medicine in Phoenix — organized the recent June 8-9 CyberMed Summit on campus.

Tully said exploits can involve a wide array of systems because many of them share established code and common hardware. Moreover, patching such devices takes a bit more effort than updating a cellphone or home computer.

“So, it’s really kind of starting from the ground up when we design these types of things, to build cybersecurity in as a primary ingredient and not as an afterthought,” he said.

In addition, many devices include wireless connectivity capability. This grants the device additional capabilities — a pacemaker might alert a cardiologist of a patient’s heart irregularity, for example — but they also open a potential route to hacking.

Both doctors agree that, unless something is done, it’s only a matter of time before something bad happens. Still, Tully said he doesn’t want to be alarmist.

In addition, officials are starting to take notice. The Health Care Industry Cybersecurity Task Force, established by the Cybersecurity Act of 2015, released its recommendations to the Department of Health and Human Services this month, and the Food and Drug Administration is beginning to take a stronger role as well.