Medical devices of today have become a necessity rather than a luxury.
Most of the modern medical devices contain computer systems which are embedded right into them.
In many cases, these medical devices have actually become critical.
And what happens to things which are critical and as well as connected to the internet?
Yes.
They attract hackers.
Hackers want to breach these medical devices and cause all sorts of chaos.
But before hackers can “get” to these devices, these medical devices must have some sort of vulnerabilities that they can exploit for a security breach.
Remember, most, if not all of these medical devices are connected to broadband internet connections.
They are also connected to smartphones along with hospital networks.
All of this further increases the risk of hackers hacking into these medical devices via security breaches.
Moreover, some of the latest medical devices are now highly interconnected.
Hence, they pose a great risk to thousands if not hundreds of thousands of patients who use these medical devices.
To put it more simply, these medical devices have left many patients vulnerable to hacker and all sorts of cyber attacks.
The problem hasn’t quite reached epidemic levels but this is a good time to start a productive debate on a national level.
Security experts along with manufacturers have to start talking about how security issues affect these medical devices.
Other questions such as how these medical devices operate and treat the patient should also take center stage.
Medical devices have to evolve with the rest of the technology and related threats.
As mentioned before, some of these medical devices have become such complex pieces of software that they can legitimately resemble consumer grade computers.
And hence they are exposed to the same cyber security risks.
General purpose computers, though powerful, regularly come under heavy cyber attacks.
And there is no reason for hackers to not do the same to these medical devices as well.
Medical devices themselves pose a threat to the whole system as well.
How?
Well, since these medical devices have critical flaws and they are connected to a sensitive network, they can allow hackers to gain access to hospital networks as well.
In other words, these medical devices can impact the security of hospital networks and hence their capability to treat sick people using those medical devices.
Vulnerable medical devices may also allow hackers to steal critical medical records of patients as well.
Hackers can also take control of these medical devices (especially pacemakers) and then reprogram them via remote access.
All the while, these pacemakers are still working inside the patient’s body.
And it doesn’t matter if hospital technicians are working nearby.
The fact is, pacemakers are now starting to become an integral part of the universe we know as Internet of Things.
In other words, medical devices that are connected to different networks work only to benefit the patients along with doctors and of course, hospitals.
This interconnectivity does have its own risks though.
Mostly, that patients with vulnerable devices are basically vulnerable to cyber attacks.
Since more and more people are now using these medical devices, hackers can potentially cause a national level disaster with their computer skills.
What Kind Of Cyber Attacks Can Take Place In The Medical Industry?
There are many types of cyber attacks that hackers can launch when they target the medical industry.
Most of them include the likes of,
- Unauthorized access.
This is where hackers use malware to retrieve and alter signals that medical devices receive via wireless technology from various sensitive sources. - Malware
This is where a software program that is specifically designed to execute a harmful action, infiltrates a system and causes a huge amount of damage. - Distributed Denial of Service, DDoS, and denial of service attacks.
This is a situation where hackers use a computer virus to overwhelm Internet of Things devices by blocking and/or slowing down the IOT device’s core functionality.
In a period that spanned over twelve years (from 1990 to 2002) doctors implanted patients with over 2.6 million implantable cardiac defibrillators and pacemakers in the United States alone.
These patients showcased marked improvements in their survival rates.
But What Are Pacemakers Exactly?
Pacemakers are basically small devices that doctors implant under the patient’s skin near the patient’s collarbone.
This medical device then sends electrical signals to regulate and/or start an abnormal heartbeat and regular heartbeat respectively.
On the other hand, implantable cardiac defibrillators are basically bigger versions of these pacemakers.
Implantable cardiac defibrillators usually ship with a generator along with leads and their corresponding electrodes.
What’s The Purpose Of An Implantable Cardiac Defibrillator?
The purpose of any implantable Cardiac Defibrillator is to deliver electrical signals on two levels.
The first level is essentially a low energy shock that converts a given abnormal heartbeat into a normal heartbeat.
And the second level is fundamentally a high energy shock that is used to treat a heart that is quivering when it should be beating.
This functionality is a bit different to that of a pacemaker.
Doctors use pacemakers for hearts that showcase unhealthy and/or slow heartbeats.
On the other hand, Implantable Cardiac Defibrillator is basically a requirement for patients that have fatal ventricular arrhythmias.
It is also used to treat patients with abnormal heart rhythm that stems from the patient’s lower heart chambers.
So it makes sense that the implantable medical device industry is rapidly evolving.
And all these pressing needs basically dictate how security experts should address, in a rather comprehensive manner, the issues and challenges that exist in the healthcare industry.
Moreover, implantable medical devices are advancing towards more and more complex functions very quickly.
This has resulted in an expanded range of functions of these implantable medical devices.
Their technical abilities have also seen remarkable improvements.
And because of all that, it is now possible for technicians to establish a connection with these implantable medical devices in case of emergency or any other necessity that may arise when the patient is away.
Security Researchers And The Healthcare Industry
Security researchers around the world have made their point of view clear:
There are many security related limitations of these implantable medical devices and specifically implantable cardiac defibrillators.
Pacemakers are also at risk of many cyber attacks.
Security researchers have carried out many experiments and studies on unauthorized radio-based methods that could potentially interfere with normal device functions.
Researchers say that these approaches exist despite the fact that implantable cardiac defibrillators are considered as life-saving medical devices that specifically improve the patient’s heart rhythms.
To put it another way, modern implantable medical devices have advanced web connectivity functionalities.
But researchers and engineers have not put in the required work to correspondingly improve these implantable medical devices with reasonably strong security systems.
The issue of hacking and other types of cyber attack remain unresolved.
We also know that implantable medical devices inherently have a weak security system.
Their mechanisms, relatively speaking, basically render these medical devices vulnerable to many types of cyber attacks.
These cyber attacks can easily compromise the quality and reliability of implantable medical device core functionalities.
IOActive security vendor, Barnaby Jack, who has done much work with his analysis in the field of insulin-delivering medical devices, recently proved that using his technical expertise he could:
Command a patient’s pacemaker from a distance of fifty feet.
From that distance, he could arrange an 830-volt shock to the patient.
All of that is possible because of poor software applications that most of these implantable medical devices use.
Of course, the blame should also go to the company behind these implantable medical devices.
Pacemakers And Implantable Cardiac Defibrillators
Pacemakers along with implantable cardiac defibrillators have many flaws.
These flaws are basically inherent flaws which are basically built-in to these devices because of the way programmers have programmed their wireless transmitters.
These transmitters have a very important function.
They have to give instructions to the implantable medical devices if they detect some irregular with the patient’s heart contractions.
But transmitters didn’t have this important function from the start.
Not so long ago, medical engineers programmed these pacemakers and implantable cardiac defibrillators with the help of a wand.
This “wand” basically flipped a specific software switch that allowed the medical devices to accept and carry out new instructions.
Fast forward to today, and we have manufacturers that sell these transmitters that can have a wireless range of anywhere between 30 and 50 feet.
Hence, these transmitters offer hackers an increased amount of opportunities to carry out attacks on the software of these transmitters.
Important Vulnerabilities of IMDs (Implantable Medical Devices)
There are several vulnerabilities.
Some which are as follows,
- Limited battery life/capacity
Because most of the modern implantable medical devices have advanced security features, they require much more power than before.
And hence batteries have to deliver a lot of power in order to make them work properly - Remote access.
Hackers can use such vulnerabilities to exploit the device.
They can also compromise the device’s normal operations. - Wireless Communication
This technology basically gives hackers an easy point of entry.
Hackers can then use this opportunity to gain unauthorized access and then modify the device’s functionality. - Unencrypted transfer of data.
Data that is not encrypted is always susceptible to cyber attacks.
Hackers can manipulate the data as well as steal it if they see it fit. - Untested Software applications
This only increases the possibility of hackers exploiting implantable medical devices.
They can then carry out attacks.
Even worse, bad code can have unintentional harmful effects for the patients. - Old Designs
Or more specifically designs that are based on obsolete technologies.
Devices with old designs patterns are more likely to have fewer security features. - Lack of Updates And Security Patches
Some of these implantable medical devices don’t have the required ability to update themselves quickly enough.
Some devices don’t even have security patches that they can install by themselves.
That is dangerous because then these implantable medical devices are at an increased risk of becoming an obsolete piece of software.
What Type of Generic Attacks Do Hackers Like To Carry Out?
- External-local.
Where a hacker has managed to have physical access to the implantable medical device - External-remote
Where a hacker has gained remote access to the implantable medical device - Insider-deliberate
Where a hacker can deliberately launch cyber attacks on the network via local or remote methods. - Insider-inadvertent
Where someone uses a malware-infected USB drive that results in some configuration error via an administrator account. - Inadvertent or random threats from hackers.
Patients can suffer huge losses if a computer virus infects these implantable medical devices or if these devices suffer a power failure.
It is very important to practically define the motivations with which hackers can attack these devices.
There are many other general methods to attack these devices as well.
After one has gone through the list of potential attacks it should become slightly easier to comprehend why implantable media devices are so susceptible to cyber attacks because of their vulnerabilities.
More Cyber Attack Risks
The current security systems installed in implantable medical devices do not have the proper measures against many cyber threats and other risks.
Security researchers have defined three main device classifications.
A device’s classification depends on the actual health risks which are posed to the patient, the device’s effectiveness, and the patient’s safety.
The Class I or II medical devices could potentially have a critical security flaw in their software design.
This flaw could then, act as a huge security risk to the hospital network and the patient itself.
In a similar way, pacemaker devices, which are Class III devices, could contain sensitive and identifying information which hackers could steal.
Moreover, a Class I database could contain thousands, if not more, records on patients and that can pose many identity theft risks.
Some security experts say that the current device classification system is not adequate enough to reflect the kind of distinctions they have talked about before.
Consequently, some security experts believe that the industry should bring regulatory reforms for all implantable medical devices.
According to them, this is the best way to support these medical devices.
Security Researchers Thoughts
Security researchers in the industry have warned that these implantable medical devices have some serious flaws.
And if the industry does not address these flaws, then that negligence could lead to some fatal consequences.
Most of the flaws that researchers have discovered are related to the radio-based communications.
Medical devices use these radio-based communications in order to update their firmware and software and read data.
These medical devices include the likes of pacemakers and implantable cardiac defibrillators.
How Did The Researchers Find The Key Flaws?
Just like hackers, researchers simply exploited the present flaws.
Researchers then adjusted the settings of these implantable medical devices and then even managed to switch off these gadgets.
Moreover, they also launched attacks with which they easily stole confidential and sensitive data about related patients and their full medical history.
But hackers in the real world won’t have much luck.
Why?
Because researchers have already rolled out a software patch which helps these devices fight real-world cyber attacks.
Most of the modern day implantable medical devices work in an autonomous environment.
But some still use short-range wireless communications.
These medical devices use them so that their systems can easily communicate with the medical staff who want to retrieve health related data from the device about the patient wearing that device.
Researchers (and theoretically, hackers too) can send commands to these devices via wireless networks to change their functioning.
Medical staff, though, use these features to fine tune the device in order to match the patient’s condition and physiology.
Some implantable medical devices use proprietary wireless signaling systems as well.
Researchers have reverse-engineered these systems as well and have revealed major flaws in their results.
The flaws mainly related to the method with which these devices broadcasted the sent data.
However, the exploits only worked properly when researchers had their eavesdropping equipment within 5 meters from the implantable medical device.
Researchers eavesdropped that data traffic and then picked out and then replayed those commands that controlled the implantable medical devices.
Hackers And Researchers
Hackers can use the techniques mentioned above to search for sensitive information and then send malicious commands or messages to the patient’s device.
This is what security researchers said in their paper which detailed their work.
Researchers also found that most, if not all, of these implantable medical devices, came from one manufacturing company.
And most of these vulnerable devices still had patients using them.
Researchers did not disclose the actual name of the manufacturers of these implants.
However, they did not hide their actual findings.
The manufacturers of the said medical devices, quickly updated the software of its medical devices in order to help the patients secure their devices against any potential danger.
Why Are Implantable Medical Devices So Vulnerable To Cyber Attacks?
We have already mentioned the threat and the vulnerabilities that afflict most modern implantable medical devices.
Researchers are now trying to identify how and why are these medical devices so open to cyber vulnerabilities and security threats.
After carefully considering the human, management and technical causes, researchers have identified the following factors,
- Hackers can gain access to sensitive information via published material on agency device verification processes.
Sometimes, hackers can also obtain information regarding radio frequency transmission data, spectrum and device workings from patent databases. - Software and operating systems that are still working on legacy technologies.
Software applications along with medical devices and systems that are more than five years old are bound to have major security holes and misconfigurations. - Lack of patches and software updates
- Lack of even the most fundamental of security features.
- Dearth of awareness campaigns regarding cyber security issues
- Lack of balance between safety and security procedures.
- Limited resources and power for medical devices
How To Solve IMD Problems?
The Food and Drug Administration has started to pay an increased amount of attention to problems related to implantable medical devices.
Why?
Because more and more of these IMD devices have incorporated other technological products such as software applications and mobile devices which are also connected to the internet.
This phenomenon has picked up, even more, pace in the past couple of years.
The FDA has also issued a draft version of guidelines that deal with cyber security.
These guidelines also have recommendations for IMD manufacturers so that they give cyber security issues their due attention especially during the developmental phase of IMDs.
Additionally, the FDA guidelines recommend that IMD manufacturers must provide:
- A comprehensive list of all issues related to cyber security regarding the device’s design
- Another list (which corresponding justifications) of all related cyber security controls that manufacturers have established for IMDs.
- A traceability matrix that actually manages to link cyber security risks to cyber security controls that manufacturers considered while designing IMDs.
- A systematic plan which would provide validate updates along with patches for IMDs, their software and operating systems.
These patches and updates should offer the latest protection to IMDs and address the product’s lifecycle issues as well. - Some documentation which can demonstrate that the IMD provided to individual users and bulk purchasers is actually free of any malware
- Proper device instructions which can help purchasers and users with the appropriate use of IMDs.
These should also include information regarding product specifications.
Moreover, if applicable, these instructions should also recommend an antivirus software application.
Conclusion
There is little doubt about the fact that the FDA uses rigorous methods to evaluate IMDs.
The agency has spent resources on evaluating these devices based on their software’s intended usage and all the risks involved.
The FDA has also looked at unintentional cyber security threats to these IMDs.
Before the FDA’s recent actions, only the device manufacturers considered issues related to vulnerability management and security patches.
The FDA has also come up with other guidance documents that focus on areas such as post-market and pre-market device security reviews.
However, the agency has not created any additional regulations that can enforce those new guidelines.
For now, we know that the FDA can and probably does take multiple actions that they believe are the correct ones according to their own assessments.
Such actions include,
- Giving out warning letters
- Conducting rigorous inspections
- Revoking IMDs from pre-market and post-market reviews.
These are the actions the FDA can take when a given IMD manufacturer does not follow the agency’s guidelines.
Despite these actions and their consequences, some IMD manufacturers still manage to ignore these FDA recommendations.
Hence they flood the market with unsafe and insecure IMDs.
Bottom Line
In the end, it will depend on the public and how it perceives issues related to IMD security and other areas surrounding the discussion.
Implantable Medical Devices have to find the balance between security and safety.
They also have to make sure that mobile devices are safe enough to interact with IMDs.
Moreover, IMD apps along with OTS software applications should also get some major upgrades.
Additionally, all concerned parties should enhance the methods they use to evaluate these implantable medical devices.
And of course, federal agencies such as the OSTP, NIST and the FDA have to make sure that they work independently and create a sustainable solution to cyber security problems.
If we want to make IMDs more secure then we have to force the country’s federal agencies to exercise their authority in the proper manner and regulate all critical IMDs and their manufacturers.
Only then can we begin to reduce the risks these IMDs face from various types of cyber attacks.