While browsing the links page to find an interesting article to write-up, I stumbled upon this piece in Threat Post by Dennis Fisher and was intrigued. In the article, Fisher talks about how medical devices, a previously relatively untapped market for hacking, have recently come under attack. Already, pacemakers and insulin pumps have been exploited to deliver lethal doses to their owners, rather than the life-saving functions they are intended for. These new hacks open up a whole new deadly area of security flaws, where a hacker could do much more than just steal your financial information, but actually harm your physical health.
Before reading this article and the presentation in class today, I had never even contemplated attacking medical devices to remotely control their functionality. As the medical industry becomes more technologically advanced, however, it is paramount that security vulnerabilities in life-saving medical devices are addressed and healed. The consequences for a gap in a medical devices security are disastrous compared to any other attack against an individual.
The medical industry as a whole needs a huge upgrade in terms of security. I question whether personal implanted medical devices, like pacemakers or insulin pumps, should even be capable, in their design, of delivering lethal volts or doses. Out side of the realm of personal devices, other aspects of medical facilities and hospitals are far behind in their security capabilities. As the article mentions, most hospital computers still run on outdated and vulnerable operating systems, enabling hackers to access deeply confidential and potentially live-saving information. Personally, I value my medical information far more than my credit card or browsing data, and it is disturbing to learn that in many ways, my medical information is far less protected.
However, (as we touched on in the presentation today) because of the nature of these devices as being life-saving medical treatments, this causes difficulties in security protocols. A pacemaker, if and when it detects a malicious attack, cannot just stop regulating a patient’s heart, but must continue on as is. On the other hand, in an emergency situation, doctors need to be able to bypass any security measures quickly and easily to make quick calls that could save the patient’s life. More research into the design of a security system with this functionality, though complicated, is absolutely critical as medical devices become more prevalent and common.
It’s incorrect to say that “Already, pacemakers and insulin pumps have been exploited to deliver lethal doses to their owners, rather than the life-saving functions they are intended for”. I dont think any human being has been attacked using these methods. Researchers have presented that it is possible to attack a person, if they know the exact model of the device, it’s modulation method, encoding scheme etc. This requires lots of reverse engineering & study.
I also don’t agree with the statement “I question whether personal implanted medical devices, like pacemakers or insulin pumps, should even be capable, in their design, of delivering lethal volts or doses.” ICDs are capable of delivering shocks in the range of 750-800 volts. This is needed to correct the heart rhythm & save the life of the patient. If you take out that functionality, ICDs are pretty much useless.