Hack Attacks: Are Your Medical Devices At Risk?
It was a dramatic sequel to an earlier demo at a previous Black Hat computer security conference, also by Barnaby Jack, a research architect for antivirus software company McAfee, in which he made an on-stage ATM belch forth cash.
Pacemakers and ICDs share the same vulnerabilities, according to Mr. Jack. “ICDs and pacemakers are far behind insulin pumps. They have no encryption and they require no authentication,” he told CardioSource WorldNews.
The high-gain 6-foot antenna used in the pump-hacking demo has an effective range of about 300 feet, said Stuart McClure, McAfee’s global chief technology officer. “But a determined adversary absolutely could miniaturize and hide these types of antennas, or could create alternative pathways and tap into other large structures (in a stadium, for example) and use them as antennas to send information packets to invade and co-opt devices.” Imagine a bevy of chaotic heart rates or ICD shocks in a crowd.
The hacked infusion pump was made by Medtronic Inc. In response to questions about its devices’ vulnerabilities, Medtronic supplied a prepared statement including the following: “Medtronic takes patient safety and device security very seriously and we appreciate the security community bringing new information on the possibility of manipulating or ‘hacking’ our insulin pumps. We have been increasing our focus on the prevention of tampering with our products and look forward to partnering with the security, healthcare, and diabetes communities to develop ways to better protect patients from the risk of tampering, which is necessary to keep pace with a new and rapidly evolving technology landscape.”
Christopher Garland, Medtronic’s vice president of communications, disagreed with Mr. Jack’s assertion that pacemakers and ICDs are more vulnerable than infusion pumps, and reaffirmed the prepared statement, which says further, “We have taken a number of steps to address this matter including conducting an in-depth risk/benefit analysis to clearly assess the potential risk, evaluating the best encryption and security technologies for incorporation into our products and design process, and working with outside security experts to develop new approaches and best practices to device security.”
The individual acknowledged by Mr. McClure and Mr. Jack as having greater expertise on ICD and pacemaker security is Kevin Fu, PhD, associate professor of computer science at University of Massachusetts in Amherst. Dr. Fu noted in an interview that most of the security research on medical devices has been on vulnerability, not on the likelihood of real threats. While he acknowledged that opinions vary regarding feasibility of clinically damaging attacks, his view was unequivocal: “I think, personally, this is a big problem that’s coming—but the sky is not falling yet. We have time to mitigate the risks.”
To date, there have been no reported incidents of intentional hacking or infection of medical devices, Dr. Fu emphasized. “If your device is isolated and not connected to a network, risks are reasonably low.” But advancing medical technologies incorporate greater autonomy and connectivity into devices to offer continuous care and monitoring. When infusion pumps, for example, become matched with internal devices that monitor serum levels, programmed algorithms will make dosing decisions. Another example: wireless device–physician connections will let physicians adjust therapies remotely after monitoring the device or talking with the patient. Inadequate security will be a barrier to such strategies—unless the devices are manufactured with security concerns addressed from the outset.
Could ICDs and other devices be programmed to have passwords, just like PCs? That simple solution lends itself well to emails, but maybe not so much to critical medical devices. Dr. Fu said password security could be disastrous in a medical device. “Imagine a password on an insulin pump or pacemaker,” he said. “It malfunctions and begins to discharge improperly and you, in a panic, can’t remember [the password]—and then can’t shut it off. Imagine an even more time-sensitive context—an unconscious patient.” What can you do: dramatically race to wake the patient and get his password information? “What is a simple solution for a consumer product may be harmful in a medical device.”
The problem demonstrated with the insulin pump hacking, he added, is a design flaw that could not be more basic: the manufacturer did not consider security from the beginning. That’s a flaw found in ICDs and pacemakers as well. “You have to look from a hacker’s perspective—which would require building in strong authentication and strong encryption so it can’t be intercepted or eavesdropped. You need vulnerability detection and protection in the code, itself, that goes into the firmware,” Dr. Fu said.
Beyond putting security into initial designs, manufacturers need to completely overhaul existing devices with security in mind. “But it’s not as easy as a Windows update,” he added. (And given the problems and glitches that typically follow the installation of Windows updates, it may be a good thing it can’t be that easy.)
Given that no “hack attacks” have ever been reported, is this merely fear-mongering on the part of the very security firms that stand to profit from generating panic? “Typically, the bad guys are ahead of the good guys. It is very inconvenient and annoying to have to solve these problems, but they are not going to go away,” Dr. Fu said.
And what, according to Dr. Fu, is the biggest impediment to improved medical device security? “The boring reason is diffusion of responsibility. The technical problems are quite challenging and the parties with the greatest ability to improve things have the least incentive. Unfortunately, medicine and computing change at extremely different rates — so you have two worlds colliding.
“We’re in a grace period now. I hope we can solve this before something happens.”
—by Walter Alexander
< Back to Listings