Implantable Medical Devices Pose Security Challenges, Opportunities
Researchers have demonstrated that implantable medical devices (IMDs) can be hacked. What can we do to minimize security risks?
For years, protecting PCs from hackers has been standard practice. But while much attention is devoted to securing PCs, a set of gadgets even more important to our daily lives remains vulnerable to attack: implantable medical devices (IMDs) that communicate wirelessly.
Although the Food and Drug Administration (FDA) has no evidence of real-world hackers interfering with IMDs, several researchers have demonstrated that the hacking process is relatively simple.
"Clearly, the approach of 'security by obscurity' is not the right one going forward," Symantec Healthcare Solutions Architect Axel Wirth wrote in an email. "We all -- patients, manufacturers, healthcare professionals and government -- have to work on a reliable and secure solution for the future."
In 2008, a team of researchers hacked into a defibrillator, a device that uses electrical shocks to regulate heart rhythms. From a few centimeters away, the researchers were able to change therapy settings, deliver commanded electrical shocks, deplete the device’s battery life and extract confidential patient information. What’s more, the researchers used readily available technology: a commercial programmer, a software radio eavesdropper and a software radio programmer.
Insulin pumps aren’t immune either. In 2011, network security expert Jerome Radcliffe remotely shut off his own insulin pump at the Black Hat security conference.
The same year, McAfee research architect Barnaby Jack hacked into his friend’s insulin pump from 300 feet away. Jack later told the BBC that he can influence any pump within that range.
Media coverage of the researchers’ work led three members of Congress to request a report on the security of IMDs from the Government Accountability Office (GAO). The report came out last year.
"[Manufacturers] have a strong interest in ensuring their devices are safe so people aren't worried about using them," said GAO acting Director Vijay D’Souza.
Still, demonstrations by researchers like Radcliffe and Jack have yet to make hacking a top concern among most IMD users. David Edelman, president of Diabetes Daily, an online community for people with diabetes, said that a destructive insulin pump hack is both unlikely and difficult to execute.
"An insulin pump isn't set-it-and-forget-it," Edelman said, adding that users could counteract the effects of excess insulin by eating carbohydrates or taking a shot of glucagon. "Is this something the average person should worry about? Probably not."
Nevertheless, it’s hard to predict the future implications of these security vulnerabilities. "PC vendors didn't really address security issues before they were exploited by real-world hackers, even though they knew about the vulnerabilities for many years," ForeScout Vice President of Technology Gil Friedrich wrote in an email. "Even after PCs were hacked, it was only [addressed] when hacking started being a threat to revenue."
How to Secure IMDs
According to Wirth, there are two main security options for IMDs: authentication and encryption. Authentication would prevent unauthorized changes to an IMD’s settings, but it would not protect confidential patient information. While encryption would do both, it would also give manufacturers several implementation challenges.
IMDs are resource-constrained devices, and the significant computing overhead associated with encryption would shorten the IMD’s lifespan. To counteract the effects of encryption, IMDs would need to use the latest processors, which pose yet another problem. IMDs cannot afford to use cutting-edge technology; a bug could lead to bodily harm or even death.
Defibrillators, which don’t come with personal programmers, have their own limitations. Wirth cautioned that any security approach should be the same across manufacturers. "We need to bear in mind that this is not a one-on-one problem," Wirth wrote in an email. "A local hospital or doctor will see many patients and adjust their settings from a single programmer, and as a patient, I may be traveling and end up at a different hospital than my usual one."
As always, challenges mean opportunity. Researchers at UCLA proposed the use of a Personal Security Device, which would eliminate the need to directly modify IMDs. The researchers envision a small, portable gadget that would insert itself between the IMD and the access point. The Personal Security Device wouldn’t prevent IMDs from pairing with other devices -- a weakness researchers make note of -- but it would listen in on communication with outsiders.
Networking and security companies that find ways to get around these challenges could see significant rewards. "Ten years ago, there was very little networking inside hospitals," Itron Principal Consultant Malik Audeh said. "At this point, nearly all hospitals have devices on the network."
Eventually, an IMD without an extra layer of security could become a thing of the past.
"As you're developing the next generation of technology, security is something to consider," Edelman said. "Maybe manufacturers should be hiring Mr. Radcliffe."
Maya Itah is a writer and editor specializing in technology and public policy.
By Jeff Goldman
April 18, 2013
All 13 routers studied by ISE can be taken over from the local network, and 11 of the 13 can be taken over from the WAN.