From pacemakers to smartwatches, we are increasingly becoming a cybernetic species. For this reason, recent headlines about vulnerabilities in implanted medical devices may trigger alarm bells. Can your grandfather's pacemaker really be hacked, and if so, what is the real risk?
It's a topical issue. Yes, there are major changes in medical technology ̵
Vulnerabilities Warn Hacking Risks [March59006] Last March, the Department of Homeland Security warned that hackers could access Medtronic's implanted pacemakers wirelessly. Then, just three months later, Medtronic voluntarily recalled some of its insulin pumps for similar reasons.
Superficially, this is scary, but maybe not quite as bad as it sounds. Hackers can not access implanted pacemakers or make far-reaching attacks from a remote terminal. In order to hack one of these pacemakers, the attack must be performed in close proximity to the victim (within the Bluetooth range) and only when the device connects to the Internet to send and receive data.
The risk is unlikely to be real. Medtronic has designed the communication protocol of the device so that neither authentication nor data is encrypted. Anyone who is sufficiently motivated can change the data in the implant and possibly change their behavior in a dangerous or even deadly way.
Like the pacemakers, the recalled insulin pumps can be wirelessly connected to related devices such as a meter. This determines how much insulin is pumped. This family of insulin pumps also has no built-in security, so the company is replacing it with a cyber-conscious model.
The industry is catching up
At first glance, Medtronic seems to be the figurehead for unsuspecting and dangerous security (the company has not responded to our request for comment on this story), but it's far from being alone ,  "The state of cybersecurity in medical devices is generally poor," said Ted Shorter, chief technology officer of IoT security firm Keyfactor.
Alaap Shah, a lawyer specializing in privacy, cybersecurity and healthcare regulation Epstein Becker Green explains: "Manufacturers have not developed products in the past in terms of safety."
In the past, operations had to be performed to manipulate a pacemaker. The entire industry is trying to be at the cutting edge of technology and understand the implications for safety. A rapidly evolving ecosystem, such as the medical IoT mentioned above, presents an industry with new security needs never before thought of.
"We are at a turning point in the growth of connectivity and security concerns," said McAfee's threat investigator, Steve Povolny.
Although the medical industry has security holes, no medical device has ever been hacked in the wild.
"I do not know any exploited vulnerabilities," Shorter said.
"Criminals just do not have the motivation to hack a pacemaker," Povolny said. "Medical servers that can hold Ransomware patient records as hostages achieve higher ROI." That's why they seek this area – low complexity, high ROI. "
In fact, why invest in complex, high-tech manipulations of medical devices when hospital IT departments have traditionally been so poorly protected and paid so well? In 2017 alone, 16 hospitals were paralyzed by ransomware attacks. If you disable a server, you will not be murdered if caught. However, hacking a functioning, implanted medical device is another matter altogether.
Attacks and Medical Device Hacking
However, former Vice President Dick Cheney did not take any risks in 2012. When the doctors replaced their older pacemaker With a new wireless model, they disabled the wireless features to prevent any hacking. In part inspired by an act on the television program "Homeland," Cheney's doctor said, "It seemed like a bad idea for the vice president of the United States to have a device that someone might be able to … chop." into. "
Cheney's saga points to a frightening future in which people are being remotely attacked by medical devices that regulate their health. But Povolny does not believe that we will live in a science-fiction world where terrorists zap humans through manipulation of implants remotely.
"Rarely do we see interest in attacking individuals," Povolny quoted the tremendous complexity of the hack.
That does not mean it can not happen. It's probably just a matter of time before someone becomes the victim of a real Mission Impossible hack. Alpine Security has created a list of five device classes that are most vulnerable. Top of the list is the venerable pacemaker who made the cut without Medtronic's recent recall and instead cited the recall of 465,000 2017 implanted pacemakers manufactured by Abbott. The company had to update the firmware of these devices to close any vulnerabilities that could easily lead to the death of the patient.
Other devices feared by Alpine include implantable cardioverter defibrillators (similar to cardiac pacemakers), drug infusion pumps, and even MRI systems that are neither bloody nor implantable. The message here is that the medical IT industry has a lot of work to do to secure all sorts of devices, including large outdated hardware that is exposed in hospitals.
How safe are we?
Fortunately, analysts and experts seem to agree that the cybersecurity situation of medical device manufacturers has steadily improved in recent years. This is in part due to the guidelines that the FDA released in 2014, along with Task Forces for cooperation between government agencies that cover multiple sectors of the federal government, schedules for device updates. "It's necessary to balance test equipment so that we do not hurt anyone, but it does not take that long before attackers have a very long time to investigate and implement attacks on known vulnerabilities."
According to UL's Chief Innovation, Anura Fernando The architect for interoperability and safety of medical systems, improving the safety of medical devices, is currently a top priority in government. "The FDA is preparing new and improved guidelines. The Healthcare Coordinating Council has recently published the Joint Security Plan. Standards development organizations continue to develop standards and create new ones when needed. The DHS continues to expand its CERT programs and other critical infrastructure protection plans, and the healthcare industry works closely with others to continually improve cybersecurity to keep pace with the changing threat landscape. "
Maybe that's reassuring. There are so many acronyms, but it's still a long way to go.
"While some hospitals have a very sophisticated cyber security posture, there are still many who have difficulty understanding how to handle basic cybersecurity hygiene," Fernando lamented.
Can you, your grandfather, or a patient with a portable or implanted medical device do anything about it? The answer is a little daunting.
"Unfortunately, the responsibility lies with the manufacturers and the medical community," said Povolny. "We need more secure devices and a proper implementation of security protocols."
There is one exception, however. If you use an end user device, such as a smartwatch, Povolny recommends that you apply good safety hygiene. "Change the default password, apply security updates, and make sure there is no permanent Internet connection."