HACKING INTO MEDICAL DEVICESJANE WANG

SECTION 2

CYBERSECURITY

• Unauthorized access to data, which are either resident in or exchanged between computer systems

• Attacks on system resources (i.e. computer hardware, operating system software, and application software) by malicious computer programs

• Attacks on computer networks, including infrastructure of privately owned networks and the Internet itself

THE ISSUE

• Medical devices are often connected wirelessly to hospital networks and are therefore vulnerable to cyber attacks

• More than half the devices sold in America rely on software

• So far, no known incidents of a hacked medical device injuring/killing a person have occurred, but research has shown it is possible

PREVIOUS ACCIDENTS - UNINTENTIONAL

• Dozens of cases of viruses infecting computers that control X-ray machines and laboratory equipment

• Bug in the software of a radiotherapy machine caused massive overdoses of radiation to be delivered to several patients, killing at least five

• One in three of all software-based medical devices sold in America between 1999 and 2005 were recalled for software failures

PACEMAKERS

• Small device placed in the chest or abdomen to help control abnormal heart rhythms

• Uses electrical pulses to prompt the heart to beat at a normal rate

• Have wireless transmitters to allow them to be programmed without an invasive procedure

• Allows medical professionals to send pacemakers new instructions

• As of 2013, roughly one million people have pacemakers in the U.S.

PACEMAKERS – THE DANGER

• Due to the convenience of wireless transmitters, security vulnerabilities of remote attacks on the body are now possible

• Allows for hacking through not only a laptop, but also Malware installed on a hospital or company computer that may briefly interact with an implant

• Could infect, reprogram, or command the device to perform a more lethal function

BARNABY JACK

• Discovered a way to hack into a pacemaker via its wireless transmitter and make the device send an 830-volt shock through a person’s body

• Can be done with a laptop from 30 to 50 feet away

• Demonstrated the hack during a talk at Breakpoint security conference in Melbourne, Australia

• Was also able to access personal data stored on implants, such as confidential patient information and the doctor’s name

INSULIN PUMPS

• Device used for administration of insulin in the treatment of diabetes

• Many insulin pumps are now wireless

• Allows the patient to check on the pump’s status and activity

• Allows for control of the dosage administered

• As of 2007, over 400,000 insulin pump users in the U.S.

INSULIN PUMPS – THE DANGER

• Wireless transmitters once again can cause problems, and cause the pump to deliver a deadly dose of the hormone

• Currently there are patents for insulin pumps that can hook up to WiFi and be controlled via a web browser

• Huge potential for exploits, especially since exploits to compromise web interfaces are developed daily

BARNABY JACK

• Also discovered how to hack insulin pumps

• Was able to obtain complete control of all pumps within a vicinity without any prior knowledge of their serial numbers

• Able to cause device to repeatedly deliver its maximum dose of 25 units until the entire reservoir was depleted

• Able to hack pumps from a distance of up to 300 feet using a high-gain antenna

DELOITTE STUDY

• Consultants interviewed representatives from 9 health care organizations

• Majority felt that their organizations had strategies and frameworks for managing cybersecurity risks

• However, many differences in the degree of preparedness and approaches for handling cyberthreats

WHY IS THIS ETHICAL?

• If nothing is done about it, millions of people are put at risk

• However, medical professionals will still be able to change settings without the use of medical procedures, allowing for the patient to carry on through everyday life normally

• If something is done about it, either:

• Research will be conducted to find a safe solution that preserves the patient’s convenience, but in the mean time will people will still be at risk

• Wireless transmitters will be removed, and patients will have to suffer through invasive procedures whenever a change is required

SOLUTIONS

• Encryption

• Problem: Encryption takes up valuable processing time on a device

• Goal: To develop encryption that addresses the cyberrisk without impacting the functionality of the device

• Open-source

• Start making open-source devices, so more people can learn how these devices work

• Allows for more minds to come up with security issues, as well as discover fixes for them

• Currently prohibited for use on live human patients

SOLUTIONS

• Researchers at Rice University have found a way to use a heartbeat reading as a way to confirm that whoever is trying to reprogram or download data from a device is in direct contact with the patient

• Makes it clear if someone is a remote hacker

• This fix could work even in emergency situations where no delay can be tolerated

• Researchers from Princeton and Purdue University have developed MedMon, a prototype firewall

U.S. FOOD AND DRUG ADMINISTRATION

• FDA has released draft guidance for cybersecurity concerns

• New draft lays out specific concerns that must be addressed when applying FDA approval for new devices

• Requires manufacturers to report security breaches, and has called upon them to review and improve their security procedures

• FDA is now developing a cybersecurity laboratory to focus on potential threats to medical devices and systems