AcuteCare Telemedicine Blog


Hacking a Patients Health

The FDA has made medical device cyber security a high priority, even as it stresses that there have been no reported incidents of malicious medical device hacks or of patients harmed by a security-related issue. To think that a malicious attack on implanted medical devises has not yet happened may be a reasonable assumption, but it’s not based on any empirical evidence one way or the other.  In short, it may have happened.

When government officials usually talk about cyber-attacks, they tend to warn of power stations being shut down, planes falling from the sky or financial markets being unable to function. To advance that concern to personal medical devises, it is more than just a little unnerving to patients whose lives depend upon implanted medical devises.  Last year researchers at McAfee, a computer-security firm, said they had found a way to subvert an implanted insulin pump to make it deliver 45 days’ worth of insulin in one dose. The cause of the elementary error, which afflicts many devices, is that they contain hard-coded passwords, making it easier to break in and tamper with the software.

When it comes to improving the security of the software that controls medical devices, however, one unique difficulty is that the software in most devices is closed and proprietary. This prevents rival manufacturers from copying it, but also means that security researchers cannot scrutinize it for flaws. Greater use of open-source software might be one way to improve reliability and security. The FDA requires manufacturers to report security breaches, and has now called upon them to review and improve their security procedures. But it still leaves it primarily up to manufacturers to check the integrity of their software, rather than delving into the code itself. With a host of new medical devices in the pipeline that are essentially add-ons for smartphones, the need to ensure the security of the software components of medical devices will only become more urgent in the coming years.

A prominent hacker who discovered a way to have automatic teller machines spit out cash who was set to deliver a talk about hacking pacemakers and other wireless implantable medical devices, but recently died in San Francisco just prior to a speaking at a security conference in Las Vegas. The headline of his talk was, “Implantable Medical Devices: Hacking Humans,” according to a synopsis, Barnaby Jack had planned to demonstrate his techniques to hack into pacemakers and implanted defibrillators.

We’re getting used to the nuisance that is malicious hacking. We’ve had databases with our personal information hacked, we’ve had our cell phones and tablets hacked, we’ve had our work networks attacked. We’ve seen attempts to hack into our home Wi-Fi networks and our video baby monitors, and not a week goes by that someone doesn’t try to hack into critical government and municipal networks that control such things as the electric grids or air traffic control network.  But given that more of the world is becoming wirelessly networked, there are some truly terrifying prospects when it comes to the hacking of the most personal devices: implanted pacemakers, defibrillators or insulin pumps

Calming news for patients with implanted medical devices is that researchers are working on authentication codes, delivered via the patient’s heartbeat, that are relatively foolproof because the live heartbeat and the heartbeat from the device must match precisely. It would prevent a hacker from using a recorded heartbeat (perhaps lifted from a patient’s EKG) to try and circumvent the system. For all the great good that comes from modern technology, we must remain vigilant to the threats posed by those who seek to use the technology for evil intention.


Leave a Comment so far
Leave a comment



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s



%d bloggers like this: