The US Food and Drug Administration said implanted devices, which could include pacemakers or defibrillators, could be connected to networks that are vulnerable to hackers.
An FDA warning notice was sent to medical device manufacturers, hospitals, medical device user facilities, health care technical staff and biomedical engineers.
It said the agency has recently “become aware of cybersecurity vulnerabilities and incidents that could directly impact medical devices or hospital network operations.”
“The FDA is recommending that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack,” the warning said.
These devices or systems could be compromised “by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks,” the FDA said.
“This may sound like it is out of a science fiction movie, but the threat is conceivably a serious one,” said Jon Ogg at 24/7 Wall Street.
“Can you imagine a device being retooled maliciously, like an inserted pacemaker/defibrillator? Or imagine if a robotic surgery system was maliciously recalibrated in even a slight manner for surgeries.
“The list of threats is endless.”
The FDA said it was “not aware of any patient injuries or deaths associated with these incidents” nor does it have any specific information on targeted devices.
The FDA said it had been working with other federal agencies as well as manufacturers, which it said are “responsible for remaining vigilant about identifying risks and hazards associated with their medical devices.”
Among the measures that should be taken, the FDA said, are limiting unauthorized device access, “particularly for those devices that are life-sustaining or could be directly connected to hospital networks.”