Why Medical Devices Provide Little or No Protection Against Hackers

Wireless technology has made it possible to create implantable medical devices that do everything from monitoring patients’ heart rhythms to delivering the correct amount of insulin to diabetics. But according to a new report by the General Accounting Office, that lifesaving technology has also left the door wide open to cyberattacks.

Hacked Medical Devices Can Have Deadly Consequences

The GAO initiated its investigation at the request of Democratic Representatives Edward Markey and Anna Eshoo after two researchers exposed the wireless security vulnerabilities of insulin pumps. At the 2011 Black Hat security conference, researcher Jay Radcliffe, who’s also a diabetic, hacked into his own Medtronic insulin pump onstage using a $20 radio frequency transmitter, disabling its lifesaving therapy.

Radcliffe told the Las Vegas audience the device had no passwords and no authentication – all you need is the serial number to hack it. From there, he said hackers could remotely control complete strangers’ pumps.

“It’s not like someone stealing your credit card and you’re out a couple hundred dollars,” Radcliffe said last year. “In this case, if there’s one failure in the system, we’re talking about someone’s life.”

Two months later, Barnaby Jack, who worked as a professional hacker for the security firm McAfee, took Radcliffe’s work one step further. At the Hacker Halted conference in Miami, Jack demonstrated software and a special antenna he designed that allows him to locate and gain control of vulnerable Medtronic pumps within 300 feet and dispense a fatal dose of insulin – without knowing the device’s serial number.

“These are computers that are just as exploitable as your PC or Mac, but they’re not looked at as often,” Jack told Bloomberg earlier this year. Given Jack’s and Radcliffe’s hacks of insulin pumps, it should come as no surprise that McAfee’s threat prediction for 2012 lists embedded hardware as “the promised land for sophisticated hackers.”

For the past year, Jay Radcliffe has been working with Medtronic and other manufacturers to improve the information security of their medical devices. He says Medtronic has made progress, including putting someone in charge of overseeing privacy and security for all of its products. But it can take years for changes in medical devices to reach the market because of long product cycles and regulatory hurdles.

For those who are tempted to view Radcliffe’s and Jack’s work as something straight out of The Girl with the Dragon Tattoo, consider this: Many implantable heart defibrillators, pacemakers and other medical devices also offer little or no protection against hackers.

In 2008, researchers from the University of Washington and University of Massachusetts discovered they could assume control of a popular pacemaker-defibrillator to deliver deadly shocks; and they could glean personal data from the device’s signals.

GAO Recommends FDA Focus on Medical Device Security

The FDA says it did not consider information security risks from intentional threats as a real possibility until recently.

That’s because it has always been focused on the safety of medical devices, not on their security. But the three hacking demonstrations of medical devices by researchers led the GAO to conclude that information security risks resulting from certain threats and vulnerabilities could affect the safety and effectiveness of medical devices. It recommended that the FDA develop a plan to focus on information security risks.

Medical Devices the Enemy Within?

This month, two researchers from the University of Alabama at Birmingham drew more attention to the wireless security threat to medical devices.

In their paper, “The Enemy Within: The Emerging Threat from Malicious Mobile Devices,” Shams Zawoad and Ragib Hasan describe how hackers can launch attacks against medical devices from compromised mobile devices. They outline how hackers can steal confidential data from patients’ devices and use it for financial gain. And how they can feed doctors bad data and issue potentially fatal commands.

What’s more, because patients who use implantable or wearable medical devices often use their smartphones to monitor their health conditions, the researchers believe there’s a good chance that mobile malware can monitor the patient’s condition around the clock.

They point out that the hackers don’t need to be near the patient. They can create malware which will collect and upload data to a server, allowing them to compile a large electronic medical record database of patients who use medical devices.

The demand for implantable medical devices in the U.S. will grow to a $52 billion market by 2015. Those devices save lives every day.

But they can also jeopardize patients’ lives if hackers gain access and control of their medical information. If you’re one of those patients, demand that manufacturers and regulators tell you what they’re doing to keep your medical device and your medical information secure.