Insulin Pumps, Other Implantable Medical Devices Could Be Hacked
Could your insulin pump or pacemaker be the target of hackers? The announcement by a security researcher at the Black Hat computer security conference in Las Vegas that his own implantable insulin pump could be hacked brings to light a concern that experts have been investigating and which has frightening and even deadly implications.
Implantable medical devices could be hacked remotely
Before this most recent information about the possibility of hacking into medical devices was released by Jay Radcliffe, a diabetic who spoke with The Associated Press before presenting his findings at the Black Hat conference, there has been little published about this phenomenon, although this does not mean no one is working on the issue.
The Medical Device Security Center, for example, is a collaborative partnership between researchers at Beth Israel Deaconess Medical Center, Harvard Medical School, the University of Massachusetts Amherst, and the University of Washington. These investigators are working to better understand and find a “balance between security, privacy, safety, and effectiveness for next-generation medial and pervasive healthcare devices.”
One article from researchers associated with this Center appeared in the New England Journal of Medicine entitled “Improving the Security and Privacy of Implantable Medical Devices.” The authors warned that medical devices “face a security vulnerability that must be addressed through regulatory and scientific actions.”
A recent (August 2011) study that was the effort of researchers from the University of Massachusetts Amherst and the Massachusetts Institute of Technology, discussed how to modify implantable medical devices (IMDs) to protect them from hackers. In the article, entitled “They Can Heart Your Heartbeat: Non-invasive Security for Implantable Medical Devices,” the authors noted that recent work “has demonstrated that wireless connectivity can be exploited to compromise the confidentiality of IMDs…to deliver an electric shock to the patient.”
Another example was presented at the Institute of Electrical and Electronic Engineers Symposium on Security and Privacy in March 2008. Kevin Fu, PhD, of the University of Massachusetts Amherst, and his colleagues, hacked into implantable medical devices and seized patient information such as name, medical record number, birth date, and disease diagnosis. They were also able to compromise patient safety by altering the settings and even instructed the device to send an electrical shock that could induce a deadly arrhythmia.
Implantable medical devices such as insulin pumps, pacemakers, and cardioverter defibrillators can be controlled remotely by patients and by medical professionals. But they may also be the target of hackers, and the results could be deadly.
According to the Associated Press article, there is no evidence anyone has made use of the techniques Radcliffe used to hack into his own insulin pump, but the opportunities are there. Although medical device manufacturers are working to prevent the possibility of hacking and experts such as those associated with the Medical Device Security Center are on task, hacking into medical devices that people depend on for their very survival is not science fiction—it is reality.
Gollakota S et al. SIGGCOMM’11, 2011 Aug 15-19, Toronto Canada
Halperin D et al. Proceedings of the 2008 IEEE Symposium on Security and Privacy
Maisel WH, Kohno T. New England Journal of Medicine 2010 Apr 10; 362:1164-66
Medical Device Security Center
Image source: Wikimedia Commons