How Hacking Can Cost Lives
21st of July, 2015
While we spend much of our focus on online privacy and security for your personal devices, it is necessary to extend that discussion to include medical devices. Medical devices have undergone drastic development in technology, similar to what we’ve seen occur in our personal devices. Distressingly, the level of security and privacy we have demanded for our personal computers as well as phones has not extended to life saving medical tools.
The hacking of medical devices, both inside and outside the body, is referred to as “medjacking”. Devices susceptible to medjacking include, but aren’t limited to: insulin pumps, pacemakers, bluetooth-enabled defibrillators, and drug infusion pumps like those used for chemotherapy. On an even larger scale, patient records can be accessed and altered, leading to drugs being misprescribed. Scott Erven uncovered many of these security flaws in a study spanning the course of two years. This study was reported on by Wired last year.
Surprisingly, this isn’t the first instance of research being done on the potential risks of medical devices. In years past, there have been demonstrations given on the accessibility of insulin pumps. Reported on over three years ago by Bloomberg Business, is this short video below on insulin pump hacking. In the video, you can see the device manufacturer and the FDA dismiss the level of risk associated with the devices.
It is apparent that there is a real problem here. The threat of attack is real enough that in 2012, the physician of Vice President Dick Cheney disabled wireless functionality on Cheney’s heart implant to prevent an assassination attempt. Yet still, according to Erven, “Even though research has been done to show the risks, health care organizations haven’t taken notice. They aren’t doing the testing they need to do and need to focus on assessing their risks”.
Coming closer to present day, the issue of medjacking was reported on by InformationWeek. In the article, they referred to medical equipment as having a lack of basic security, using preconfigured devices with weak default passwords.
To date, there is no set standard for protecting the privacy and security of medical devices. There have, however, been steps taken and solutions proposed for this serious problem. In 2013, a documentwas issued by the FDA recommending that wireless medical devices use wireless protection; included in this wireless protection would be data encryption and access controls. While this step is important, the FDA did not create a standard, but rather a recommendation.
Coming towards the end of 2013, the MIT Technology Review published an article on an innovative solution from Rice University. Researchers at Rice developed a method where doctors would hold a device to a patient’s chest to get a direct reading of their heartbeat. This reading is then compared to the heartbeat given over the wireless signal to confirm they match; of course, the signals of the heartbeat are encrypted to prevent hacking the connection. In this way patients are given an extra layer of security to ensure anyone trying to access the device is not a medjacker.
Issues persist, however, as last week NBC Chicago reported on infusion pumps with serious security flaws. These pumps could be easily accessed to alter dosages of anything from anesthetic to narcotics. The news clip below goes into further detail. From the clip, we can notice the change in response from a manufacturing company as compared to the earlier video by Bloomberg.
Continuing in last week’s news, KSLA News reported that representatives of Government, industry, academics, and medicine would now be meeting to begin creating standards for medical device protection.
What is important to take away from this article is the real consequences that can come out of a lack of security and privacy across our devices. It is easy for a user to shake off the importance of not wanting your data to be mined to create a profile of your life. Many can say they are comfortable with the level of security afforded to their credit card and banking information. It is impossible, though, to say we are ok with having little to no level of privacy or security that protects life. The call for better privacy and security protocols is louder than ever as we approach a point where our capabilities allow us to so easily do irreparable damage.
About Ryan Jeethan
Ryan is a graduate of the University of Waterloo’s Arts & Business program focusing on UW’s unique Speech Communication program.