Blog Tag: Hacking

Recall Highlights Medical Device Cybersecurity Issues

On August 29, the FDA announced a recall of 465,000 implantable pacemakers, citing concerns that hackers may be able to take control of the pacemakers’ settings. This would open patients up to danger from improper pacing or rapid depletion of the devices’ batteries, according to the FDA’s statement.  Instead of removing and replacing the pacemakers, the recall is designed so that doctors will install a firmware upgrade that removes the vulnerability.

Newsfactor reports that there have been no reported exploits of the vulnerability and no devices have yet been compromised.

The recall highlights that medical device manufacturers are beginning to take a more focused approach to cybersecurity.  Mac McMillan, CEO of privacy and cybersecurity firm Cynergistek, told Modern Healthcare that “If devicemakers didn’t already have developers sitting around looking at cybersecurity, they now have to incur the costs of making sure their devices stay current. In the past, they’ve developed devices and put them on the market and moved onto the next device. This is a new thing for them.”

Mike Kijewski, CEO of medical device security company Medcrypt, also suggested that the FDA should update its regulations to help medical device companies stay on top of cybersecurity threats.  “If the FDA can say you’re just doing the update for cybersecurity and the changes are minimal and the functionality of the device isn’t changing, they can make the update happen faster,” Kijewski suggested.

Canada’s equivalent of the FDA, Health Canada, is still looking into the vulnerability and its proposed solution, and has set a target of 75 days to resolve the situation.

Hacking the Human Body – Medical Device Security

Medical device development, as always, is shooting upwards – and it has just reached the clouds.

According to News Medical, Verizon just announced that it received 510(k) clearance for its Converged Health Management medical device (the first time Verizon has applied for and received FDA clearance). Converged is a remote patient-monitoring medical device based in the cloud and according to the press release should be available in late 2013.

Verizon claims that the new healthcare solution resides in its allegedly “HIPAA-ready cloud” and will provide easy access to nearly real-time patient data from connected medical devices.  Theoretically, this will allow nearly constant medical monitoring – for example, you’re driving your car and you begin to display pre-stroke symptoms (which you can’t notice), if you’re hooked up to Verizon’s “HIPAA-ready cloud,” your primary care physician can call you to tell you to make your way to the nearest hospital.

The potential benefits of this technology could be very interesting (it doesn’t take much imagination to think of some). However, there are also potentially significant consequences. Clearance to fully wireless based devices was first granted in 2006.  The FDA has recognized that, while it grants clearance to wireless and cloud-based medical devices, such wireless devices may present a significant security risk. On August 13, 2013 (a surprising 7 years after the first wireless based device clearance) the FDA issued “Radio Frequency Wireless Technology in Medical Devices – Guidance for Industry and Food and Drug Administration Staff,” a guide that attempts to offer “reasonable assurance of safety.” In recognition of the potential for cyber-attacks on wirelessly connected and internet-enabled medical devices (and the patients connected to them), the Center for Internet Security has publicized a new initiative attempting to better secure such systems from cyber-attacks.

All security systems have vulnerabilities which can be exploited – the question is how small they are and how smart a potential attacker must be to find them. Will Pelgrin, the president and CEO of the Center for Internet Security stated that:

[W]e wanted to be ahead of the curve. Instead of waiting for a major incident to happen, we wanted to provide guidance across the board. . . . As these devices become connected to the internet and networks, they become more than just clinical devices, they become IT systems. As we all know, the weakest node on a network can be your entry point for negative consequences that can affect those devices.

The EE Times points out that many medical devices (which can be connected to networks), such as sport watches, monitoring bracelets, heart rate monitors and pedometers, offer valuable information but would not harm the wearer upon malfunction.  However, there are many medical devices which are life-sustaining, such as pacemakers, insulin pumps, defibrillators, and neural implants.  If these medical devices were “hacked” through inherent weaknesses or through weaknesses in a node of the network to which they are connected, the consequences could obviously be fatal.  According to the article, an insulin pump has already been hacked (by a diabetic white hat hacker demonstrating weaknesses in the system).