The new battle front…

Millions of implanted electronic medical devices are in use in the United States. As the vulnerability of implanted medical devices to being hacked becomes more apparent, how could they be exploited? If hackers can alter or remotely disable medical device, could they exploit this ability to extort patients or the device manufacturer? Would a hacker harm or kill a device wearer, just to show it can be done or for a potential ransom?

The most significant threat on the new battlefront…

Real life example of the risk of implanted medical devices.

Information security is a crisis in our time. Headlines highlight massive security breaches affecting the privacy and pocketbooks of millions. Organizations such as Sony, Target, Anthem Health, Home Depot, and of course the federal government’s Office of Personnel Management (OPM). These attacks have breached the security of myriad organizations, both corporate and governmental, impacting millions of people with the theft of vital information. However, what the hackers are after in these cases is either money or anarchy. In the case of implanted medical devices, the effect is much more dangerous. If hackers could reprogram an implanted medical device and do much greater damage, would they do it?

Why the helmets? The next true state-sponsored threat

The answer to whether hackers have any interest in physically harming people was revealed by an assault on an epilepsy support group message board. Hackers added flashing computer animation that triggered seizures in epilepsy support group members.[1] This is regarded as one of the first computer attacks to cause physical harm, and is certainly an indication that hackers intent on causing harm may attempt to do so by hacking into medical devices themselves.

There are millions of wirelessly reprogrammable implanted medical devises currently in use in the medical profession, with another 300,000 implanted each year. Medical device security is a challenge area because it covers a large set of disciplines including software engineering, clinical care, patient safety, electrical engineering, human factors, physiology, regulatory affairs, and cryptography.[2] There are a lot of well meaning medical device manufacturers who have not yet mastered the culture and principles of information security and privacy.

In this video Professor Fu indicates that the possibility of intentional medical malfunctions are a risk that will increase in the future.

Devices such as defibrillators are being combined with pacemakers, cochlear implants, drug infusion pumps, and even remotely reversible vasectomies[i] are being medically implanted into patients. These devices are now being designed to transmit and receive wireless data, which has the potential to be exploited.

The implanted combination pacemaker and defibrillator senses a rapid heartbeat and can administer an electrical shock to just like an external defibrillator to restore normal heart rhythm. In 2008 a team of computer researchers were able to remotely reprogram a combination defibrillator and pacemaker, causing it to shut down and deliver jolts of electricity that would potentially be fatal, if actually implanted in a person.[3] As Professor Fu states in the attached video, risks to patients are currently considered low, but they may become more vulnerable as technology moves forward in the future.

Advances in technology have also been seen in the design for implantable computer controlled pumps for administering medicine. Some manufacturers have initially underestimated the importance of security requirements during the design of such devices, leaving exploitable back doors to the pumps. These back doors can allow an unauthorized reprograming of the pump. In 2012 an insulin dependent patient, Jay Radcliffe, elected to have an insulin pump implanted in order to avoid injecting himself with a needle and syringe. Mr. Radcliff used his experience in computer security to analyze his implanted pump. With the user manual, he was able to determine the exact frequency modulation that information would be transmitted on. Paring this information with information obtained from the Federal Communication Commission (FCC), and from the original patent for the device he was able to test the device’s security. With this information he was eventually able to determine how to interrupt the data sensor to send inaccurate blood sugar values, thereby inducing the device to give an insulin overdose.[4] It was later determined that implanted drug pumps are some of the easiest devices to hack, and have some of the gravest consequences because of the risk of drug under-or overdose.

Essentia Health’s head of information security, Scott Erven, evaluated the related risk in medical equipment at a large health care facility. Over the course of his two year study, he found that external drug infusion pumps, used to deliver morphine, chemotherapy, antibiotics, and other drugs, could be remotely manipulated to change dosage delivered to patients.[5] He also noted that Bluetooth enabled defibrillators could be made to deliver random shocks or prevent a shock from occurring. Digital records could be altered, and devices could be restarted, or configurations wiped out. Mr. Erven reported in his findings that the healthcare industry is just beginning to recognize the security problems with medical devices. He contends that the design emphasis has been placed on reliability and effectiveness of devices, and not the security.

Professor Fu finds that engineers at most medical device manufacturers sincerely want to improve the security of their products. They are beginning to understand that information security and privacy have to become a part of the corporate culture if the producers make use of modern communication and computer technology.[6] There are three areas where manufacturers must improve trustworthiness of medical device software: early concept phase, design,testing and manufacture, and post market surveillance.[7] Currently the most significant focus on implementing security measures is on the back end of design and in fixing bugs in the software. The security of the system is often overlooked in the design and engineering phase, with more of a focus on the medical design. More time should be spent at the concept phase on hazard analysis and risk management so that implementations are less likely to have security problems.[8]

Improvement in medical device security may best be achieved if government and the medical industry work together to develop increased standards and regulations. In June of 2014, the National Institute of Standards and Technology, part of the United States Department of Commerce, hosted a panel on issues affecting medical device security and emerging standards. This is a good beginning, but radical progress must be made to ensure security — it’s only life and death.

Sources for this article can be found below.