Medical Device Hacking; Final Blog Post

Introduction

Our project focused on the hacking of medical devices and the positive and negative factors associated with having vulnerable health technology. We focused on simple devices, such as insulin pumps and pacemakers, but also touched briefly on how entire hospitals can be infected and all of the larger and more complex machines that can be included in these attacks.

In addition, we also took a look into patient data to see how they could be compromised by using vulnerable health devices. By exploring all of these entities, we hoped to expose the level of  vulnerability for various medical devices and hope to provide information that improves the health of a defined population.

Research Summary

Our research spanned multiple stakeholders and parties, offering us a unique perspective of the current state of things concerning the digital security of medical devices and the future of what we can expect to find. The following is a summary of each of the categories we researched.

Patients

Patients are interested in the well being of themselves and their loved ones and making sure that their medical devices are working and providing them with accurate data. They have personal incentive to provide themselves with the device/treatment that provides them with the best possible level of care. If patients are using devices that are vulnerable to attacks then it is possible we can see an incredible amount of harm done to a large number of people in the near future.

From our presentation, we discussed examples such as Dick Cheney’s security configuration on his pacemaker as well as the Dexcom hacking situation where hacking is used for a positive purpose. Jeremy Radcliffe’s research on hacking his own insulin pump was very informative as well.

Research & Manufacturers

The researchers are interested in the progress and implication of security breaches. They are also interested in understanding how these devices can be corrupted and how they can prevent that from happening. The manufacturers on the other hand are interested in pushing out a monumental product that saves lives and brings in significant revenue. The issue lies in the idea that manufacturers have not had to consider the unintentional and intentional consequences of a device vulnerable to hacking.

From our presentation we referenced the 2008 Harvard study which provided a valuable insight into how accessible medical device hacking is. We also touched on the research from the Oak Ridge National library as well as the various methods researchers are looking to implement into devices in the future. Some of these examples include encryption, zero power defense and password protected devices.

Hospitals

Hospitals are at risk to security breaches and are just as vulnerable as medical devices. However, a security hack at a hospital can have catastrophic effects as it only takes one device to infect an entire hospital. That one device can be hacked with malware on a single USB. In response to this potential threat, many hospitals are employing white cap hackers who are essentially hired to hack hospitals and identify the vulnerabilities within the devices, the network and the systems.

Government   

The main concern of the government is that they have not really dealt with security breaches for medical devices. As a result, this makes it much more difficult to implement a process of laws and regulation going forward. Currently, the FDA does not require a security assessment during the pre-market submission process for a device. However, the FDA has been more active in this space by issuing warnings to the public and providing frameworks for device manufacturing companies to follow.  

What Did We Learn

Throughout this project and our research, we learned that it is not very hard to hack into a medical device such as an insulin pump or implantable cardiac defibrillator as long as you understand how the device works and you have the right software to do so. We also realized that it’s not just about the device being hacked, there are many other multiple issues surrounding security breaches with medical devices.

We must consider topics such as data security to protect patient data stored on medical devices, but we must also consider device security to protect the manufacturer’s code that is driving the functionality of the device. Overall, we realized that medical device hacking is much closer of a reality than we think as we look into the future with ideas such as IoT, data management and security.

Future Research & Next Steps

Our future research on this project would be to consider the following topics & ideas:

1. What is the perspective and impact of the doctor and the US healthcare system within the medical device hacking space? Do doctors influence patients to select a certain medical device similar because of monetary incentives similar to how some doctors prescribe drugs from specific pharma companies? How does our healthcare system treat the expense and maintenance of medical devices
2. IoT: How does the internet of things affect medical devices. What other types of security and software are built on medical devices that prevent data being stolen from the patient  
3. Are medical devices hacked not to harm the patient, but to steal the code in order to produce a device that is cheaper, thus taking away market share from competitors and reaping the benefits.

Interview with Colin Jones-Weinert

As promised here is a summary of our talk with Mr. Colin Jones-Weinert

About Colin

Mr. Jones-Weinert is a CES manager fro SynCardia Systems. He did his undergraduate at the University of Arizona in molecular and cellular biology, biochemistry, molecular biophysics with a minor in mathematics. He also holds an MBA from the Eller College of Management. After graduation, Colin began his career at SynCardia as a heart manufacturing technician, working his way to a CES manager. His current role involves directing the manufacturing and production of the artificial hearts.

What We Discussed

We discussed a variety of topics with Colin, but we kept the conversation mostly regarding security of the devices his firm produces. We touched on the various implications for having security, regulation and connectivity with medical devices.

Colin introduced us to the various products his companies sell which include various models of artificial hearts. Currently the systems that SynCardia offers do not have internet capability. In addition, some of the company's devices, such as the C2 drivers are password protected and for many of the devices, the user or healthcare provider can access them.

Mr. Jones-Weinert introduced an example where cybersecurity in medical devices could be a threat. He pointed to an example with Medtronic’s implantable glucose pumps where the medical device connects to a smartphone to administer the glucose dosages. He mentioned that a device or system similar to these pumps require serious security and protection as it's controlled via a smartphone.  

We then touched on regulation where Colin Weinert discussed how FDA requirements are not as updated and that most of the security depends on the company. Another great point that he made was that data storage and backup are very important for medical device as companies cannot afford to lose patient data if a natural disaster or adverse event were to occur.  

From our discussion on regulation, we discussed connectivity of devices and we discussed the Harvard hacking study from our presentation. Colin, mentioned an important point that cybersecurity isn’t just about the ability to control the device or obtain the underlying patient data, but it can be used to steal the code. This dilemma prevents an issue for companies that do not have a patent, or copyright on their code, which makes their information just as vulnerable as their patients.  

Overall, our discussion and conversation with Colin Jones-Weinert  was very interesting and he presented an interesting perspective to the issue as an industry expert in the medical device space. He presented some excellent closing thoughts as we winded down our conversation such as how all our medical devices become significantly more vulnerable as we move into the future and that we should look into more ways on protecting our devices.

Project Proposal Update

Our Investigation

Similar to the Institute for healthcare improvement, our systems project will investigate on at
least one of the three critical objectives that can potentially lead better models for
providing better healthcare. The following critical objectives are:

● Improve the health of the defined population
● Enhance patient care experience (including quality access and reliability)
● Reduce or at least control the per capita cost of care

Our project would like to focus on improving the health of a defined population by investigating medical device hacking and its various effects on the population. We would like to explore the following topics regarding medical device hacking during the course of the project.

● Positive and negative implications for medical device hacking
● How vulnerable are medical devices really?
● How vulnerable are hospitals are to a malware attack?

By exposing the potential security problems with these devices, we will be able to improve the health of the population by providing devices immune to hacking and security breaches. Safer devices will prevent mishaps that could lead to serious health problems and death.

Further Structure of our Research

Up to this point, we have realized that many of our sources are news articles or short articles from various different medical sources. We need to first dive deeper into scholarly worksto really understand what has been happening with this issue and what progress is currently being made. In addition, we need to reach out to experts in the field of both data security and healthcare devices to get a better sense of their current experience on this topic.

Interviews

We think that one of our own here at the Eller College, Dr. Faiz Currim, will be a huge help for our research. Since he has background in both data security and healthcare information systems, we think he will be able to give us a fair, unbiased point of view on both topics and how they work together. In addition, we think he is knowledgeable in this fairly recent phenomenon and will be able to talk directly about the hacking of medical devices and how we can best come to our conclusions. A few of our sample questions for the interview are displayed below:

·       Have data security and healthcare systems been separate entities in the past? Have you noticed a merging of them recently?

·       How specifically can a hospital be endangered by a connected device that is on the hospital’s network?

·       Why do you think that these companies are not motivated to make more secure products?

·       Why do you think the FDA is not doing more right now to regulate these devices?

·       So you believe there is a real threat in this space? What is in it for the hackers, from your perspective?

·       Will security really make these devices more secure? Won’t the hackers just be able to break through some of this security anyway?