China Alleged to Have Hacked Three Medical Device Companies

Three of the leading medical device companies may have fallen victim to cyberattacks in the first half of 2013, and the attacks may have lasted several months.

The attacks allegedly hit Medtronic, Boston Scientific, and St. Jude Medical. Medtronic is the world’s largest medical device company, and the other two companies are also among the global industry leaders. The story was first reported by the San Francisco Chronicle, which cited an unnamed source close to the companies.

None of the three companies immediately responded to phone calls inquiring about the allegations.

If true, however, the attacks would not be the first. Boston Scientific was breached in 2011 by Chinese cyberspies, according to intelligence data obtained by Bloomberg, and China’s leadership has done little to hide its interest in medical technology. 

In May 2013, three Chinese researchers at New York University were allegedly providing a China-based company with information on research on MRI technology that had been funded by the U.S. National Institutes of Health. Two of the researchers were charged by the FBI, and the third fled to China. It was revealed they were secretly working with the Shenzhen Institute of Advanced Technology, which is part of the state-run Chinese Academy of Sciences.

The Chinese Communist Party has a policy of developing high-value technology in key industries, which includes medical devices. Known methods of technological development include theft and espionage from competitors. Rep. Billy Long said during a June 2012 congressional hearing that “China and Russia have official government policies of stealing U.S. assets for economic gain.” 

A 2011 report from the Office of the National Counterintelligence Executive explains that China’s interest is rooted in its Project 863, which was launched in 1986 to “enhance China’s economic competitiveness and narrow the scientific and technology gap between China and the West in areas such as nanotechnology, computers, and biotechnology.”

The report predicted that China’s interest in stealing U.S. medical research and technology would grow, noting, “Healthcare services and medical devices/equipment will be two of the five fastest growing international investment sectors.”

Boston Scientific, for example, invested close to $886 million in research and development and brought in $7.25 billion in revenue in 2012.

The report adds that the industry faces particularly high costs in research and development, and countries including China and Russia—that have policies for stealing intellectual property—would likely try stealing the research rather than shouldering the cost.

The interests of the Chinese Communist Party laid out in Project 863 have only accelerated. Under China’s newly released Five-Year Plan, the regime’s leadership is trying to develop a high-tech economy. Researchers noted in a November 2013 congressional report, however, that China’s lack of infrastructure to support entrepreneurs and protect intellectual property means it is likely to still turn elsewhere for its research and development.

The interest in hacking medical devices may go beyond profit. 

Jerome Radcliffe, a security researcher and Type 1 diabetic, demonstrated a cyberattack at the 2011 Black Hat security conference, where he hacked the control system of his own insulin pump. He demonstrated that a person with ill intent could hack medical devices to harm or kill a targeted victim. Former Vice President Dick Cheney had also told “60 Minutes” in 2013 he had a defibrillator implanted near his heart in 2007, and had its Wi-Fi switched off to guard against potential hackers.

The U.S. Food and Drug Administration (FDA) released a warning about the potential attacks on medical devices in June 2013. It recommended that manufacturers of medical devices put safeguards in place to prevent medical equipment from being infected with malware.

At the time, the FDA highlighted some of the risks faced if hackers could manage to infect medical devices. “Many medical devices contain configurable embedded computer systems that can be vulnerable to cybersecurity breaches,” it stated. 

“In addition, as medical devices are increasingly interconnected, via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of cybersecurity breaches, which could affect how a medical device operates.”