Cyber(Heart)Attack: How to Make Medical Devices Secure
LAS VEGAS — It brings new meaning to the phrase "heart attack": Former Vice President Dick Cheney wears a pacemaker specially modified to reduce the risk of a cyberattack.
Most people don't have to worry about terrorists attempting an as-yet-theoretical hack on a medical device to murder them. But as technology becomes more advanced and devices become more and more connected, medical-device security is an increasingly pressing issue.
A group of doctors, security experts and other professionals gathered at the BlackHat security conference here this past Thursday (August 7) for a roundtable discussion of the risks and challenges associated with implanted medical devices (IMDs).
The discussion was moderated by Jay Radcliffe, a security researcher at Boston-based Rapid7 who demonstrated how to hack an insulin pump at Black Hat in 2011.
What's the risk?
There are no known cases of anyone hacking a pacemaker to harm or kill someone else, but researchers have proven that it's possible.
One roundtable participant pointed out that not only pacemakers can be deadly: Causing an insulin pump to release too much insulin could seriously harm, or even kill, the pump's wearer. To the participant, this means medical devices are weaponizable and should be increasingly regulated.
Yet military and political figures such as Dick Cheney are special cases. For the vast majority of people, wearing a fully equipped IMD when necessary is the most responsible thing to do.
"If your doctor says you should get an insulin pump to get help your child's health, you do it," Radcliffe said. "The risk right now of insulin-pump attacks are similar to going outside and being hit by lightning. The priority is the child's health."
For such children, connected insulin pumps could give them the chance to live more "normal" lives. Something as simple as a sleepover at a friend's house is often too risky for a child with diabetes, but if parents could remotely monitor a child's insulin levels via a connected insulin pump and an easy-to-use app, a serious risk suddenly becomes manageable.
That doesn't mean insulin-pump attacks will always be as rare as fatal lightning strikes. Everyone at the roundtable agreed that IMD manufacturers and regulatory agencies such as the Food and Drug Administration (FDA) are going to start considering cybersecurity.
But how much security?
Most software companies constantly maintain their products, issuing updates and fixing security holes. But with IMDs, software patches are not so easy. In the United States, every change to a medical device — even a security patch — must be accompanied by a ton of regulatory paperwork.
There was also concern that more security would result in less privacy for patients. The two are different, roundtable participants agreed: Privacy is keeping medical conditions, bills and health private, while security is defending against attacks, and sometimes the two values are completely at odds with each other.
What if a pacemaker is found to have an exploitable flaw in its code? How can that device be upgraded?
"I've yet to see an embedded device that does upgrades," Radcliffe said. "You know how you upgrade that? You open the person's chest up."
In this scenario, the upgrade is a security concern, but the invasive surgery needed to perform it is a privacy issue.
Another scenario discussed in the roundtable was the potential of IMDs to record and share personal information about their wearers. If an IMD wearer dies, who can look at a log of his or her health before death? That's a serious privacy concern, but what if it helps doctors find issues with IMDs, or detect evidence of foul play such as hacking?
It's not just implantable medical devices that could do with security upgrades.
"At what point will you refuse treatment when you see the MRI is running Windows XP?" one participant asked.
Both Radcliffe and the late hacker Barnaby Jack, who died just before last year's BlackHat conference, discovered and submitted flaws they discovered in medical software. None of the flaws have been patched, according to Radcliffe.
Even things such as encryption and passwords are difficult to implement in medical devices. What if a patient were having a heart attack, and the doctor needed immediate access to the pacemaker? Every second the doctor wasted looking up the pacemaker's password would put the patient at risk of permanent damage or even death.
"You can't apply strong authentication and encryption to all these devices," Radcliffe said. "It's not realistic. The patient's life has to come first."
But for all that, Radcliffe stressed, IMDs are "ultra-super safe from a medical perspective." Regulatory agencies have proven to be very good at ensuring medical devices' safety and consistently addressing the medical issues they were designed to solve.
Ultimately, the members of the roundtable didn't come to any conclusive decisions or breakthroughs. But the discussion highlighted the changes that digital technologies are bringing to the medical field, and challenged both medical and security professionals to consider the others' needs in developing solutions.
- Best Antivirus Software 2014
- Secure and Best Medical Alert Systems
- How Your Next Hotel Room Could Be Hacked
- 9 Tips to Stay Safe on Public Wi-Fi
Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.