General Accountability Office analysts have concluded that implantable medical devices are vulnerable to hacking. Such medical devices are becoming ever more complex. Fast proliferation of wireless technology in such devices raises serious concerns about their safety and effectiveness in the face of information security risks.
Researchers already have demonstrated how interference might lead to undesired outcomes involving such devices as implantable cardioverter defibrillators and insulin pumps. In 2008, a team of academic researchers working in a controlled setting showed that they could remotely exploit a defibrillator by delivering a command, using the associated wand and programmer.
In 2010, a second demonstration occurred when a team of academic researchers remotely exploited an insulin pump, preventing it from operating properly. Additional demonstrations in 2011 by two security showed on separate occasions that they could also remotely exploit an insulin pump – specifically, manipulating the amount of insulin dispensed by the device.
Knowledge of how to interfere with such medical devices already is a matter of active study in hackerspace. For example, Leslie Pulipa of Mobile Magazine reported in March about the antics of hacker Barnaby Jack in this field. Jack shot into fame after hacking into a cash machine and making it spit money on stage during the Black Hat Computer Security Conference in 2010. Currently he is working on finding security soft spots in wireless medical devices, demonstrating how even life-saving devices are vulnerable to hacking and outside manipulation.
Jack recently used a radio device to show how easily a common insulin pump could be hacked to deliver lethal doses of insulin from within a patient’s body.
Risks like these could make any number of implantable wireless medical device types vulnerable. Unauthorized changes made to a medical device’s settings are possible if the device lacks appropriate access, authentication or authorization procedures. Loss or disclosure of sensitive data stored on a medical device can happen in absence of the same safeguards, or if a device lacks encryption. Device malfunctions can result from electromagnetic energy whatever the cause or intent.
In a report issued on Aug. 31, GAO recommended the Food and Drug Administration give such risks special attention, not merely prior to approval of particular devices but also continuously after their approval and deployment into medical use.
FDA is the agency responsible for ensuring the safety and effectiveness of medical devices in the United States. FDA reviews manufacturers’ applications to market medical devices during its premarket review process and monitors devices, once it has approved them, through its post market efforts.
GAO discovered that multiple information security threats exist that can exploit vulnerabilities in active implantable medical devices. At the same time, experts advise caution about efforts to mitigate information security risks, which actually may adversely affect device performance.
Threats to active devices – devices that rely on a power source to operate – that also have wireless capability can be impaired by intentional or unintentional interference. Unintentional interference would include such factors as ambient electromagnetic energy. Intentional interference would have the nature of unauthorized accessing of a device. The former already occurs. The latter is the source of greater concern however.
Untested software and firmware and limited battery life are among the technical factors which can facilitate interference. Tangibly negative results which could result from intentional interference would include the changing of device settings for any number of nefarious reasons. The report insinuates that those actually engaged in reporting on implantable device use may be deficient because much of this technology is comparatively new and FDA staff doing the monitoring might not understand the relevance of information security risks.
GAO recommends that the Secretary of Health and Human Services direct the Commissioner of FDA to develop and implement a more comprehensive plan to assist and enhancing its review and surveillance of medical devices as technology evolves, incorporating multiple aspects of information security. The plan at very least should identify how FDA can:
“(1) increase its focus on manufacturers’ identification of potential unintentional and intentional threats, vulnerabilities, the resulting information security risks, and strategies to mitigate these risks during its PMA review process; (2) utilize available resources, including those from other entities, such as other federal agencies; (3) leverage its postmarket efforts to identify and investigate information security problems; and (4) establish specific milestones for completing this review and implementing these changes.”
Implicitly the recommendations acknowledge that devices being deployed in actual medical use are deficient in terms of security and vulnerability – hence post market attention to the hacking risk is of paramount concern.
See the full GAO report here.