WASHINGTON – Pacemakers, brain implants, insulin pumps and other medically implanted and external devices with wireless interfaces are vulnerable to cyber-attacks by hackers.
A recently released Department of Homeland Security bulletin sent to medical and cybersecurity industry professionals warns of possible future attacks.
This vulnerability raises a new security risk for the average person, high profile public figures and world leaders alike.
“One example of a common vulnerability I’ve seen is a medical device with a wireless interface, where the command and control doesn’t have cryptographic authentication,” says Dr. Kevin Fu, an associate professor in Computer Science at the University of Massachusetts-Amherst.
Fu says a hacker, using a wireless interface, could utilize “another computer or another device to change the settings on a medical device to infuse insulin or control the defibrillation of a heart.”
The problem is “medical devices I’ve seen today don’t generally have a way to know who is issuing a command or who is authorized,” Fu says.
According to the DHS bulletin, “Hackers can take advantage of routine software update capabilities to gain access and, thereafter, manipulate the implant.”
The warning is not speculation. It’s based on fact.
A crowd of people witnessed exactly that last August in Las Vegas.
Security expert Jerome Radcliffe, a diabetic who uses an insulin pump, showed onlookers at the 2011 Black Hat Technical Security Conference that his pump’s cyber vulnerabilities could lead to severe consequences.
He used a laptop and other computer-related gear to remotely disrupt the wireless signals being sent to his insulin pump, reverse them, swap the data being captured about his condition with phony data, and then send it back to the pump.
In effect, he demonstrated he could increase the amount of insulin injected by the pump, or reduce it, which could eventually kill him. During the chilling demonstration, the pump gave no indication someone had been tampered with it.
The National Cybersecurity and Communications Integration Center, which authored the bulletin for DHS, says many devices like these “are vulnerable to cyber-attacks by a malicious actor who can take advantage of routine software update capabilities to gain access and, thereafter, manipulate the implant.”
According to the American Heart Association more than three million people have pacemakers and 600,000 are implanted each year.
“I would be more concerned with the newer devices rather that the older devices that will eventually be phased out,” Fu says.
He says older devices are not susceptible to the wireless vulnerabilities that newer ones are.
Global security is a particular concern because of the number of international figures with implants. Former Vice President Dick Cheney was the well-publicized recipient of a pacemaker. Former Polish President Lech Walesa has one.
There are others. Even though their medical information is closely guarded, the DHS bulletin raises concerns about the security of medical records:
“Increased wireless interconnectivity introduces additional configuration challenges between portable devices, medical IT infrastructure, remote facilities, and partner IT infrastructure. Portable medical devices are gaining popularity with the introduction of iPads, smart phones and laptops that use Windows and MAC operating systems. These devices are currently being used by healthcare professionals in direct patient care settings, including in hospitals to discuss healthcare information such as clinical tests, x-rays, and lab results with their patients in real time.”
The DHS document points out that doctors at the University of Chicago use iPads to access patient information and to aid with patient communication during consultations. According to the DHS bulletin, a security software firm discovered malware, called “The Backdoor.Bifrose.AADY,” which affected iPad and iTunes users connecting through Windows operating systems.
The Department of Health and Human Services says it is concerned about exploitation of potential vulnerabilities of medical devices on Medical IT networks because of misconfigured networks or poor security practices.
But Fu says there is good news.
“There is a lot of great research going on in the academic community, in order to increase the security of medical devices. But there has been no complete transfer of technology to the industry. There’s quite a bit more legwork to do,” he says.
Some of that work has been performed by researchers at Purdue University and Princeton University who have developed a proof-of-concept device, called MedMon. It blocks hackers from hijacking or interfering with wireless medical devices, like pacemakers, insulin pumps, or brain implants, but is still in the developmental stages.
The companies that make these devices say they are aware of the risk and have been working on solutions to eliminate the vulnerabilities.
“Medical technology companies take seriously all risks – no matter how small – that might threaten the integrity and security of their products. Our member companies are always working to increase the safety and reliability of their devices,” says Wanda Mobius, vice president of policy communications for the Advanced Medical Technology Association.
“Many manufacturers are beginning to admit that this is a real problem. If you had asked me the same question in 2008, many were in denial that this was a real problem,” Fu says.
Despite the risks, Fu says, “Patients are overwhelmingly safer with these devices than without. And certainly, if I were prescribed devices I would take it. These are emerging risks and patients should be assured that there are many people thinking about how to mitigate these risks.”