CybersecurityWireless implantable medical devices vulnerable to hacking

With rapidly advancing medical technologies, more and more Americans are fitted with wireless implantable medical devices (IMDs) such as cardiac pacemakers, defibrillators, cochlear implants, neuro-stimulators, and insulin pumps. This is leading to growing concerns over the vulnerability of such devices to hacking.

Mark Goodman writes in Slate that roughly 300,000 Americans receive IMDs a year, with 2.5 million people relying on them to treat a wide variety of illnesses and conditions like diabetes and Parkinson’s disease. A 2012 study by the Freedonia Group estimated that demand for IMDs will increase about 7.7 percent annually. The industry is expected to grow to $52 billion by 2015.

W

The Department of Homeland Security (DHS) has issued an alert, warning medical facilities that more than 300 different devices from forty separate manufacturers had vulnerabilities which could be exploited by a malicious hacker or group.

This warning follows incidents in which computers have been targeted by computer viruses such as the Stuxnet, credit card cryptographic algorithms have been reversed engineered, smart phones have been infected with malware, and Iraqi insurgents hacked the video feed of U.S. Department of Defense (DOD) Predator drone aircraft.

“Time and again, criminals and terrorists have proven extremely adept at subverting new technologies,” writes Goodman. “It only makes sense then that hackers will turn their attention to IMDs — and sadly, it shouldn’t prove too difficult for them. Though no known criminal attacks against IMDs have been uncovered so far, we can and should fully expect that organized crime will turn its attention to the computers inside of us, whether for financial gain, for attention, or simply to cause fear.”

Researchers have already been able wirelessly to change IMD device settings, disable therapies, and even deliver a shock through a pacemaker-defibrillator on command.

At a 2011 hacker conference, a known hacker who goes by the alias “Barnaby Jack” demonstrated how he could compromise of an insulin pump at a distance of a 300 feet. . He could alter the insulin amount remotely, which would result in death should someone have been implanted with the device.

“For the first time in the history of humanity, the human body has become subject to cyber attacks. The more we implant tiny computers inside ourselves to monitor and improve our health, the more we create opportunities for others to hack into our bodies and subvert these machines for any number of criminal offenses, with homicide being the most obvious concern,” wrote Goodman.

While researchers, hackers, and government regulators at organizations such as the Food & Drug Administration (FDA) have begun to ponder the implications of IMD hacking, little has been done to adddress the vulnerabilities of the technology.

No attacks have so far been reported, but Goodman urges that now is the time more fully to research, educate, and defend.

“Trained police investigators and coroners will need to rely upon biomedical engineers for their expertise in attempting to determine a cause of death. Conversely, device manufacturers and research scientists have limited understanding of the types of forensic evidence that would be required from an IMD to support a successful prosecution and conviction in case of criminal tampering,” he says.