Computer networks at three prominent medical device makers--Medtronic, Boston Scientific and St. Jude Medical--were hacked in the first half of 2013, and may have lasted several months, according to a report this week from the San Francisco Chronicle.
The attacks--which went undetected by the respective companies until they were brought up to speed by the feds--may have been conducted by hackers in China, according to newspaper, citing an anonymous source. All three have created task forces to examine the breach internally.
To date, none of the three companies has reported any breach of patient information--a violation under HIPAA and the HITECH Act--to the U.S. Department of Health & Human Services Office for Civil Rights--according to The Chronicle.
Boston Scientific Senior VP of Corporate Affairs and Communications Denise Kaigler told The Chronicle that the company has "a dedicated team to detect and mitigate attacks when they occur, as well as to implement solutions to prevent future attacks," but also called information in the report "inaccurate."
Last fall, former vice president Dick Cheney told CNN's Sanjay Gupta on "60 Minutes" that when he was in office, his doctors turned off the wireless function of his implanted cardiac defibrillator "in case a terrorist tried to send his heart a fatal shock."
Meanwhile, in September 2012, the Government Accountability Office released a report calling for the U.S. Food and Drug Administration to pay more attention to the information security risks for implantable medical devices--such as heart defibrillators and insulin pumps--including the threat of hacking and sabotage.
The HHS Office of Inspector General plans to scrutinize medical devices more closely in 2014, according to its recently released work plan, stating that it is concerned with portable devices containing protected health information. It plans on reviewing security controls implemented by Medicare and Medicaid contractors and by providers for loss prevention of PHI on portable devices like laptops, jump drives, backup tapes and equipment considered for disposal. Networked devices at hospitals also will be examined more closely.
To learn more:
- read the San Francisco Chronicle article