Under investigation is an infusion pump from Hospira , implantable heart devices from Medtronic and St Jude Medica.
There is no indication that hackers have been attacking patients through these devices, but the agency is concerned that malicious people may try to gain control of the devices remotely and create problems, such as instructing an infusion pump to overdose a patient with drugs, or forcing a heart implant to deliver a deadly jolt of electricity.
The senior DHS official said the agency is working with manufacturers to identify and repair software coding bugs and other vulnerabilities that hackers can potentially use to expose confidential data or attack hospital equipment.
Hospira, Medtronic and St Jude Medical declined to comment on the DHS investigations. All three companies said they take cybersecurity seriously and have made changes to improve product safety, but declined to give details.
The agency started examining healthcare equipment about two years ago, when cybersecurity researchers were becoming more interested in medical devices that increasingly contained computer chips, software, wireless technology and Internet connectivity, making them more susceptible to hacking.
The US Food and Drug Administration, which regulates the sale of medical devices, recently issued guidelines for manufacturers and healthcare providers telling them to better secure medical gear.
The DHS review does not imply the government thinks a company has done anything wrong – it means the agency is looking into a suspected vulnerability to fix it.
This is not the first time that medical gear has fallen under the security microscope. In 2007, then US Vice President Dick Cheney ordered some of the wireless features to be disabled on his defibrillator due to security concerns. Unfortunately, this was done and Cheney was not bumped off by hackers sabotaging his defibrillator.