Can Hacking Make You Physically Ill?
In the second season of the show, Homeland, the Vice President of the United States was assassinated by terrorists. In an elaborate plot, hackers were able to obtain Vice President’s pacemaker identification number and then remotely cause him to die of a heart attack.
As the fictional Vice President slumped over and took his final breaths, many viewers were left wondering if medical device hacking is the stuff of science fiction or is it something that could actually happen?
In fact, one of the viewers of that night’s episode happened to be former Vice President, Dick Cheney, who had a device implanted to regulate his heartbeat in 2007. In an interview with “60 Minutes” Cheney said, “I found [the depiction] credible because I knew from the experience that we had assessing the need for my own device that it was an accurate portrayal of what was possible.”
While much of the focus has been on the ability of hackers to harm patients directly, an additional prize for hackers lies in gaining entry to a hospital or medical center network. Medical device hacking might just be the entry point hackers seek.
To illustrate the risk of medical device hacking in the real world security expert, Jerome Radcliffe himself is a diabetic, demonstrated how a hacker could remotely turn off a diabetic person’s insulin pump or manipulate any setting on the pump without the person’s knowledge.
In 2013, another security expert, Barnaby Jack, was slated to give a presentation called. “Implantable Medical Devices: Hacking Humans”. This presentation was also referred to as “how to kill a man at 30 feet by hacking his pacemaker.” Jack had developed a software that allowed him to remotely send an electric shock to anyone wearing a pacemaker within a 50-foot radius. Unfortunately due to his untimely death, this presentation was cancelled.
Although the hacking of wireless infusion pumps and other medical devices has yet to happen, it is now considered an absolutely critical cyber security vulnerability. While much of the focus has been on the ability of hackers to harm patients directly, an additional prize for hackers lies in gaining entry to a hospital or medical center network. A medical device might just be the entry point hackers seek.
In an effort to prevent medical device hacking, the FDA is urging medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cybersecurity threats.
Hospitals store a wealth of records containing sensitive data such as financial, medical, and identity information. What if hackers could hijack a pump and use it to access this extremely attractive trove of data or create a large-scale disruption of operations?
As this critical vulnerability only continues to generate more attention, the FDA weighed in on this issue during its first cyber security conference concerning medical devices. In its statement, the FDA urged medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cybersecurity threats.
In addition, the U.S. Department of Homeland Security began investing a number of suspected cyber security flaws in various medical devices and hospital equipment that officials feared could be vulnerable to cyber attack.
Meanwhile, at a recent NIST (National Institute of Standards & Technology) conference in Minneapoils, a number of attendees compared hospital’s infusion pump vulnerabilities to those exploited at Target last year. In that instance, hackers breached the retail giant’s defenses by snaking in a back-door that was intended for use by an HVAC contractor. The end result being that hackers obtained personal data on over 70 million customers.
As our professional and personal lives become more intertwined with technology and hackers become more creative in the ways they attack, it only becomes more apparent that data security is absolutely critical.