Developments in technology have opened the door for computer hackers to access and attach viruses to medical devices, even those that are implanted in patients. As providers scramble to put solid protection in place, IT security experts have become concerned that terrorists might try to use this type of hacking to potentially injure or even kill patients.

Proof It Could Happen

Mark Gasson, a research fellow at the University of Reading in England, recently proved that these concerns are very real. Gasson implanted a security chip into his hand that he uses to access his cell phone and unlock doors around campus.

In his May 2010 experiment, Gasson ran an experiment in which he programmed a virus into one of the security systems that the chip implanted into his hand interacts with on a regular basis. Not only did the virus transfer to the chip, but the chip then infected other computer systems that it came in contact with afterward.

Gasson reported that the implanted chip is similar to the radio frequency identification that’s already being used in the industry, and that it could be considered a type of core technology that’s used in patient monitoring equipment. He pointed out that there are already pacemakers implanted in patients across the country that can be remotely monitored by physicians via wireless access.

And, he said, most of those devices aren’t equipped with proper security controls (or any at all, in some cases) so technically, anyone who knew how to access it could change the settings and cause physical harm to the patients.

Cyber-Terrorism, IT Security and the Healthcare Industry

These issues have caused such serious concern among the healthcare community that a healthcare system in Sacramento, California held a healthcare cyber-terrorism seminar last August to help prepare providers for the increasingly sophisticated attack methods predicted by IT security experts.

And, a November survey published by the Healthcare Information and Management Systems Society found that an alarming number of healthcare practices and hospital systems don’t even perform security risk analyses. This is probably largely due to the high cost of executing a more secure IT system. While the cost can vary depending on a number of factors, a mid-sized hospital system could shell out more than $100,000 annually to make it happen.

While it makes sense that providers would prefer to spend money to improve patient care, providers have to consider the high potential for patient injury that comes along with leaving their devices and IT systems unprotected.

Then again, even when providers do implement new, more secure IT systems, hackers keep working to find new ways to breach them. And since software manufacturers must get approval from the FDA to distribute security patches, systems can be vulnerable for months before the fix is available to the providers who need them.

Do you think the healthcare system is prepared for these potential cyber-attacks against medical devices? Tell us in the comments!