One of the final frontiers of medicine is using technology to solve problems medication and traditional surgery cannot. Implantable medical devices help regulate heart rhythms, steady the tremors of Parkinson’s patients and deliver insulin. But how susceptible are they to getting hacked?
When we talk insecure IoT devices, we’re usually referring to coffee pots gone rogue and smart speakers commandeered by bots. If the device is inside you, though, you can’t just run a security scan or reboot.
The recent WannaCry ransomware, for example, locked down medical records in hospitals, infected MRI machines and hit diagnostic radiology equipment. Had it spread to implantable medical devices, the results could’ve been deadly.
Insane in the membrane
In deep-brain stimulation (DBS), a neurostimulator is implanted in the brain so that it can help regulate nerve signals. DBS treats symptoms of Parkinson’s disease and dystonia, and its use for other diseases — like Tourette’s and obsessive-compulsive disorder — is being studied.
Last year, researchers from Oxford and St George’s, University of London published a study demonstrating how susceptible DBS implantations are to attack, or brainjacking. An attack could turn the device off or wear down its battery, cause tissue damage from over-stimulation, alter behavior and cognition, impair motor function, affect impulse control, cause pain and even change emotions, they found.
“We conclude that researchers, clinicians, manufacturers, and regulatory bodies should cooperate to minimize the risk posed by brainjacking,” researchers said.
Insulin pumps are external, computerized devices that attach to a sub-dermal tube and deliver short-acting doses of insulin to diabetes patients. They free those with diabetes from having to continuously test their blood and inject themselves, and while they are not connected to the internet, they can still be affected by outside interference.
Jay Radcliffe, a security researcher at Rapid7 and a diabetic, found that the wireless remote for his Johnson & Johnson Animas OneTouch Ping diabetes pump communicated in an unencrypted fashion.
“Attackers can trivially sniff the remote/pump key and then spoof being the remote or the pump,” he wrote last year. “This can be done without knowledge of how the key is generated. This vulnerability can be used to remotely dispense insulin and potentially cause the patient to have a hypoglycemic reaction.”
Radcliffe alerted Animas Corporation, CERT/CC, the FDA and DHS. “Animas has been highly responsive and is proactively notifying users of the devices, and recommending mitigations for the risks,” he said at the time.
For now, the benefits of these implantable medical devices outweigh the risk of a cyber attack, Radcliffe told PCMag. It “often requires special equipment and expertise in both computers and medical equipment to compromise these systems,” he said. “I think all medical device vendors and operators are taking the situation of cyber security very seriously and are working hard to make sure patients using these devices are safe.”
There is perhaps no heart patient as famous as former Vice President Dick Cheney, who has suffered five heart attacks and has at various times had a pacemaker, defibrillator and left ventricular assist device. Because of fears of an assassination attempt, Cheney had the wireless capabilities of his pacemaker turned off, he told 60 Minutes in 2013.
To date, no such attack has been successfully carried out on anyone with an implanted heart device. But in 2012, security researcher Barnaby Jack demonstrated at the BreakPoint security conference how a fatal attack could be executed against someone with an implanted pacemaker or defibrillator. Jack continued his research into implantable medical devices, and argued that government agencies and manufacturers were not doing enough to protect patients. Sadly, the night before he was set to give a demonstration of his findings at BlackHat 2013, he died of a drug overdose.
When a medical device comes to market, it is examined and approved by the Food and Drug Administration (FDA). As part of that process, the agency evaluates the device for cyber-security risks.
“The FDA allows devices to be marketed when there is a reasonable assurance that the benefits to patients outweigh the risks,” the agency said in a statement. “While the increased use of wireless technology and software in medical devices also increases the risks of potential cyber-security threats, these same features also improve health care and increase the ability of health care providers to treat patients.”
Should any vulnerabilities be found after a device is on the market, the FDA works with the Department of Homeland Security to address the problem.
The National Institute of Standards and Technology (NIST) also serves as a resource; a NIST spokesperson said the agency has an eye toward protecting devices that are already on the market and pointed to best practices the agency wrote for manufacturers of wireless infusion pumps.