1976 Medical devices come under the regulatory authority of the FDA.
1981 Vitatron (Medtronic) creates the first software-driven pacemaker.
2003 Vitatron creates the first digital pacemaker.
2005 The FDA issues its first guidance for industry on connected medical devices.
2008 Researchers hack a software radio-controlled defibrillator over a very short distance, making it send potentially fatal jolts of electricity and shutting it down.
2009 The Department of Veterans Affairs starts tracking medical devices infected with malware. By June 2016, it will have found 181 infections.
Oct. 2014 The FDA issues premarket submission guidance for manufacturers to consider cyber security risk during the design and development of medical devices.
May 2015 The FDA warns users of Hospira’s LifeCare PCA3 and PCA5 Infusion Pump Systems that an attacker could access the systems remotely and interfere with their functioning.
July 2015 The FDA advises facilities to stop using Hospira’s Symbiq Infusion System after researchers show an attacker could access it remotely through a facility’s network.
Oct. 2016 Johnson & Johnson warns more than 100,000 patients that their insulin pumps could be hacked to overdose them.
Dec. 2016 Using cheap, commercially available software, researchers reverse-engineer the proprietary communication protocol used between an implantable defibrillator and its device programmer and show that software radio attacks over long distances are possible.
Jan. 2017 The FDA informs providers and users that St. Jude Medical will automatically patch its Merlin@home Transmitter, which contains vulnerabilities an attacker could exploit to tamper with patients’ implantable cardiac devices.
May 2017 During the worldwide WannaCry ransomware attack, the malware infects a Bayer Medrad power injector (radiological imaging equipment) in use in a U.S. hospital.
Aug. 2017 The FDA approves a recall and firmware update of 465,000 Abbott (St. Jude Medical) implantable pacemakers that contain cyber security vulnerabilities.
Sept. 2017 ICS-CERT identifies problems with Smiths Medical’s Medfusion 4000 wireless infusion pumps that could allow an attacker to tamper with pump operation via remote code execution.
Jan.–March 2018 There are 343 medical device recalls, with a startling average of 600,000 units each. The top cause of recalls (22.7%) is software issues.
April 2018 The FDA approves a recall and firmware update of 350,000 Abbott implantable defibrillators to address cyber security vulnerabilities and battery depletion issues.
April–June 2018 There are 360 medical device recalls. Average recall size returns to normal, but software issues remain the top cause (22.8%), now for more than two years running.