Many Popular Medical Devices May Be Vulnerable to Cyber Attacks
An increasing number of patients are being fitted with medical implants like pacemakers and insulin pumps that are vulnerable to cyber-attacks, according to security researchers.
Expert Barnaby Jack, a researcher at security firm McAfee, discovered that the wireless links used in heart-regulating pacemakers, insulin-delivering pumps and cardiac rhythm-monitoring defibrillators that are used for interrogating and updating these devices left them opening exposed to hackers looking to gain remote control.
Jack told BBC that in just two weeks he found a way to scan for and compromise insulin pumps that communicate wirelessly. After overriding the pump’s safeguard, a hacker can threaten the lives of patients on the device by either turning off the device or by commanding wireless implants to deliver a hazardous dose of medicine to the patient.
"We can influence any pump within a 300ft range," Jack told the BBC. "We can make that pump dispense its entire 300 unit reservoir of insulin and we can do that without requiring its ID number."
Diabetics on insulin pumps generally need a dose of 5-10 units of insulin after a heavy meal to help them regulate blood sugar, and if the pump empties its entire cartridge of 300 units of insulin into the patient’s bloodstream the patient would be in “deep trouble,” Jack said.
Experts also found that by re-broadcasting an identified a radio signal, heart defibrillators could also be turned off leaving the patient in serious danger.
Professor Kevin Fu, a computer scientist at the University of Massachusetts Amherst, found that by capturing a signal, hackers can gain control of an implanted heart defibrillator with a wireless outlet.
Fu found that implanted defibrillators are tested using a specific radio signal when been fitted inside a patient, and because the signal turns the device on and off, capturing and rebroadcasting the signal would switch the device off.
He said that because of the limited battery life on medical implants, the devices are not armed with authentication or encryption safeguards that can protect signals passing to and from the device, leaving them exposed to potential attacks, according to BBC.
However Fu added that because devices often need to be updated patients are much better off with wireless devices, but research findings show that more work needs to be done to secure future implants for patient protection, especially when there will be an increasing number of wireless implants.
"Future devices will be much more connected, much more connected to the internet and will have much more use of wireless technology," Fu said, according to BBC.
Fu recommends that manufacturers think about security as they design products to strengthen them against future problems.
"There is no silver bullet, it's not that these problems are easy to address," Fu said. "But there is technology available to reduce these risks significantly."
Jacks told Bloomberg last month that the medical implants are like computers, but unlike laptops and phones that regularly receive security updates, the medical devices cannot be updated without being recalled.
“These are computers that are just as exploitable as your PC or Mac, but they’re not looked at as often,” Jack told Bloomberg last month.
“When you actually look at these devices, the security vulnerabilities are quite shocking.”
Jack said that device manufacturers have not thought of or took any precautions to address the vulnerabilities of medical implants to potential malicious cyber-attacks.
“It wasn’t even an afterthought,” he told Bloomberg. “It wasn’t even a thought at the time.”
The U.S. Food and Drug Administration, which regulates medical devices, has previously warned that wireless devices can be subject to security breaches, but current data does not show “that breaches of device security measures is a widespread problem, “ the agency said in a statement, according to Bloomberg. “However, we continue to closely monitor for safety or security problems.”
Medtronic, the company which produces one of the insulin pumps hacked by Hack, said that it was doing everything it can' to address security flaws, according to the Daily Mail.
“This is an evolution from having to think about security and safety as a healthcare company, and really about keeping people safe on our therapy, to this different question about keeping people safe around criminal or malicious intent,” Catherine Szyman, president of Medtronic's diabetes division, said, according to Daily Mail.
University of Massachusetts researcher have been working on improving the security of implantable devices with wireless capabilities since their discovery in 2008 that that a popular pacemaker-defibrillator could be remotely reset by a hacker to deliver deadly shocks.