It’s in the news every day—some shocking political or economic hack, like the one just announced by Marriott revealing the sensitive personal data of up to 500 million guests. It’s become part of our normal day to hear about lost profits, stunned CEOs, and scrambling IT departments. But lurking behind the scenes is a more insidious and terrifying attack, namely on medical implants. It may sound far-fetched, like hacking a jumbo jetliner, but the truth is—it can happen to anyone, even you. When Vice President Dick Cheney’s heart pacemaker was replaced in 2007, the device’s wifi was specifically disabled to prevent possible hacking attacks. If the Vice President was concerned enough to take that drastic step over a decade ago, is it any safer today?
Medical implants have come a long way in ten years, but has cybersecurity kept up? As with most questions concerning hacking, there is no yes or no answer. The good news is, there are no verifiable reports of successful implant attacks—but as we know, that doesn’t mean it can’t or won’t happen. The bad news is, researchers have consistently demonstrated the total hackability of these devices.
What kind of devices are we talking about?
The implantable devices attracting the most attention lately are pacemakers, implantable cardiac defibrillators (ICD), and insulin pumps. These devices use wireless technology to detect, report, and/or change the working of vital human organs. Pacemakers and ICDs help regulate the ability of the heart to properly pump life-sustaining blood throughout the body, while insulin pumps, used in conjunction with glucose monitors, allow the body to properly regulate insulin. While the drug can be deadly if administered incorrectly, it is also a necessary piece of a successful diabetes treatment. Medical devices with features like wireless connectivity, remote monitoring, and near-field communication are great technology when used as designed, as they allow implanted devices to be adjusted and monitored 24/7, without the need for invasive intervention. Yet when used improperly, these devices have the potential to cause severe injury or even death.
These are swift, silent, and potentially deadly exploits.
Back in 2016, Johnson & Johnson notified 114,000 diabetic patients of a possible exploit in one of their insulin pumps. Cybersecurity researchers had already confirmed the possibility of taking control of a such a device, even changing the settings and dosages on the “Animas OneTouch Ping” pump from up to 25 feet away. Johnson & Johnson worked quickly to secure the pumps, and no actual attacks were reported—but this incident served notice to the world that this type of hack was not only possible, it was but inevitable.
Last year, two different researchers demonstrated the ability to take control and reprogram a Medtronic pacemaker from anywhere, opening up the potential for a wide variety of hacking. Medtronic worked hard throughout 2018 to correct the problem but announced in October that it was switching off the software distribution system that enabled the potential hack. Instead of a simple internet-based update, customers will now face greater hassles and inconvenience to take full advantage of their implant. Once again, no actual hacks have been reported to Medtronic, but consider the impact of a ransomware attack against an individual pacemaker. Who wouldn’t pay up when their life—or that of a loved one—depended on it?
What’s being done?
Medical hacking has become an increasingly visible threat to the health and safety of the nation, if not worldwide. Government organizations have begun to look into ways to address these issues in a timely manner. In 2016, the U.S. Food and Drug Administration issued draft guidelines with recommendations to improve medical device security. Included were suggestions such as information sharing among manufacturers, faster response to security risks, and clearly defined guidelines on how to handle and disclose security issues.
In August 2017, Sen. Richard Blumenthal (D-Conn.) introduced the Medical Device Cybersecurity Act of 2017. Among other actions, this legislation created a cyber report card for medical devices, which had to now follow certain guidelines:
- control the release of security patches
- stronger cyber protection for remote access
- security testing before the public release of any device
It would also put cybersecurity of medical devices under the jurisdiction of the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). However, like many things in government, legislative action often moves at a snail’s pace. Although the bill was submitted to the committee on Health, Education, Labor, and Pensions over a year ago, no further action has been taken. The healthcare industry already has a problem with compromised patient records.
Perspective is helpful.
According to security firm Symantec, the average healthcare provider uses less than six percent of their information technology budget on security, while financial and banking institutions average more than 13%. The federal government spends 16% of its IT budget on security. It’s time the healthcare industry faces up to the need for a greater emphasis on potential health care hacking. Granted, with increasingly sophisticated attacks and attackers, medical device manufacturers are beginning to employ a more systematic approach to insure an appropriate level of cyber security. But there’s still a long way to go before we can feel completely secure, knowing that the precious medical devices we often rely on for survival are poorly protected from cyber threat.