A New Kind of Health Scare

By Miranda Sumey

By now, almost everyone is aware that hackers can and do go after such targets as U.S. critical infrastructure, the government, and financial institutions. But a scary, fairly under-the-radar trend is cropping up and gaining recognition: hacking personal medical devices.

In one episode of the TV show “Homeland,” the Vice President of the United States is assassinated after hackers tap into and modify his pacemaker. The storyline is fiction (and as with many cable TV shows – a little over the top!), but the underlying notion isn’t. Pacemakers, insulin pumps, and other personal medical devices, whether worn on the body or surgically implanted, communicate wirelessly between the patient and hospital networks – making them as vulnerable to a cyber-attack as a bank’s website. “These are computers that are just as exploitable as your PC or Mac, but they’re not looked at as often,” said the late professional white-hat hacker Barnaby Jack. “When you actually look at these devices, the security vulnerabilities are quite shocking.”[1]

The unfortunate fact is that for years, there’s been a dearth of security experts in the medical device manufacturing community, resulting in some relatively gaping flaws. Over half of the medical devices produced in the U.S. rely on software, much of it proprietary: a pacemaker can have as many as 80,000 lines of code; an MRI scanner as many as 7 million.[2] This year, the Industrial Control Systems Cyber Emergency Response Team, part of the Department of Homeland Security, published an alert stating that it found hard-coded password vulnerabilities in 300 medical devices manufactured by 40 different companies.[3] While hardware and software vulnerabilities can be exploited by malicious actors in a slew of medical devices, personal medical devices get a double whammy from the fact that they work wirelessly and perform vital, uninterruptible services. Unauthorized access or denial-of-service attacks are a nuisance no matter what industry, but the effects of a disabled pacemaker regulating a patient’s heartbeat are arguably more severe than a website taken down temporarily. 

The idea that medical devices could be hacked gained some notoriety after the BlackHat conference of 2011, in which security expert Jay Radcliffe stunned audiences by demonstrating exactly such an attack. Specifically, Radcliffe reverse-engineered the wireless commands sent from his personal insulin pump’s controller, which communicate to the pump the exact dosage of insulin to administer. Once he decoded the communications protocol, Radcliffe programmed a small, inexpensive radio frequency (RF) transmitter to remotely control his pump. In his demonstration, Radcliffe showed how he could use the remote transmitter both to direct the pump to administer arbitrary insulin doses or disable it altogether, potentially proving fatal to the patient.[4]

For those familiar with wireless protocols, the natural inclination is to ask “Why not just encrypt the data?” With medical devices, it’s not that simple. Encryption often comes at the expense of efficiency: valuable seconds or milliseconds that could make the difference between life and death. Verification methods, such as requiring a doctor to provide a password or PIN code in order to administer treatment, present other obstacles: many times, backdoors are present on purpose to allow doctors to bypass security controls in order to remotely provide immediate care or prevent the patient from having to undergo emergency surgery. And there’s no room for error: if you get locked out of your Gmail account after 3 tries, no big deal. But if a doctor gets locked out of using a medical device when he or she forgets the password? Say hello to a liability lawsuit.

On a less dire scale, patient privacy also becomes an issue. Many medical devices used in hospitals use a Windows-based operating system, which if you haven’t heard, is susceptible to a number of security issues. They’re also frequently connected to hospital networks and sometimes even the Internet. Commonplace viruses and malware siphoning confidential medical records as if they were credit card numbers aren’t quite as terrifying as an attacker causing a patient to overdose on insulin, but it’s still obviously problematic.

On the bright side, though it may be feasible to hack a personal medical device, to date we don’t know of any actual occurrences. And for a cyber attacker, whose motives typically include causing wide-spread economic damage, reaping a financial gain, or instigating some sort of mass panic, your average Joe Smith’s insulin pump isn’t exactly a first choice for a target. Additionally, the industry is taking as proactive of measures as they can: the Center for Internet Security is working with both hospitals and device manufacturers to produce more secure configurations for medical devices. ICS-CERT is working closely with the Food and Drug Administration and has notified the vendors implicated in the results of its publication, asking each to provide specifics on mitigation measures. And just this year, the FDA released guidance for cyber security concerns specific to personal medical devices that cover such topics as risk management.[5]

Academia, too, is assisting: MIT and the University of Massachusetts have teamed up to develop new technology to safeguard pacemakers and brain stimulators by jamming unauthorized signals detected on the device's frequency. Researchers at Dartmouth are exploring the use of biometric sensors as a more secure form of device authentication: the prototype uses the wearer’s unique physiological responses to a small electrical current in order to authenticate and prevent unauthorized tampering.[6]

As these devices become more interconnected, wirelessly integrating with computer networks and software used by doctors, it certainly makes healthcare more efficient – but its high-time to consider security as well.


References:

[1] Mike Miliard, Threat Matrix: Malware and Hacking Pose Dangers to Medical Devices, Healthcare IT News, May 2013 available at http://www.healthcareitnews.com/news/threat-matrix-malware-and-hacking-pose-dangers-medical-devices?page=3.

[2] How Vulnerable are Medical Devices to Hackers? The Economist, June 18, 2013, available at http://www.economist.com/blogs/economist-explains/2013/06/economist-explains-5.

[3] Joshua Brustein, Medical Hacking Poses a Terrifying Threat, in Theory, Bloomberg Business Week Technology, August 15, 2013, available at http://www.businessweek.com/articles/2013-08-15/medical-hacking-poses-a-terrifying-threat-in-theory.

[4] Mathew J. Schwartz, Hacked Medical Device Sparks Congressional Inquiry, InformationWeek Security, August 23, 2011, available at http://www.informationweek.com/security/vulnerabilities/hacked-medical-device-sparks-congression/231500548.

[5] Alert (ICS-ALERT-13-164-01) Medical Devices Hard-Coded Passwords, ICS-CERT, June 13, 2013 available at http://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-164-01.

[6] Mike Miliard, Threat Matrix: Malware and Hacking Pose Dangers to Medical Devices, Healthcare IT News, May 2013 available at http://www.healthcareitnews.com/news/threat-matrix-malware-and-hacking-pose-dangers-medical-devices?page=3.