Introduction
Our project focused on the hacking of medical devices and the positive and negative factors associated with having vulnerable health technology. We focused on simple devices, such as insulin pumps and pacemakers, but also touched briefly on how entire hospitals can be infected and all of the larger and more complex machines that can be included in these attacks.
In addition, we also took a look into patient data to see how they could be compromised by using vulnerable health devices. By exploring all of these entities, we hoped to expose the level of vulnerability for various medical devices and hope to provide information that improves the health of a defined population.
Research Summary
Our research spanned multiple stakeholders and parties, offering us a unique perspective of the current state of things concerning the digital security of medical devices and the future of what we can expect to find. The following is a summary of each of the categories we researched.
Patients
Patients are interested in the well being of themselves and their loved ones and making sure that their medical devices are working and providing them with accurate data. They have personal incentive to provide themselves with the device/treatment that provides them with the best possible level of care. If patients are using devices that are vulnerable to attacks then it is possible we can see an incredible amount of harm done to a large number of people in the near future.
From our presentation, we discussed examples such as Dick Cheney’s security configuration on his pacemaker as well as the Dexcom hacking situation where hacking is used for a positive purpose. Jeremy Radcliffe’s research on hacking his own insulin pump was very informative as well.
Research & Manufacturers
The researchers are interested in the progress and implication of security breaches. They are also interested in understanding how these devices can be corrupted and how they can prevent that from happening. The manufacturers on the other hand are interested in pushing out a monumental product that saves lives and brings in significant revenue. The issue lies in the idea that manufacturers have not had to consider the unintentional and intentional consequences of a device vulnerable to hacking.
From our presentation we referenced the 2008 Harvard study which provided a valuable insight into how accessible medical device hacking is. We also touched on the research from the Oak Ridge National library as well as the various methods researchers are looking to implement into devices in the future. Some of these examples include encryption, zero power defense and password protected devices.
Hospitals
Hospitals are at risk to security breaches and are just as vulnerable as medical devices. However, a security hack at a hospital can have catastrophic effects as it only takes one device to infect an entire hospital. That one device can be hacked with malware on a single USB. In response to this potential threat, many hospitals are employing white cap hackers who are essentially hired to hack hospitals and identify the vulnerabilities within the devices, the network and the systems.
Government
The main concern of the government is that they have not really dealt with security breaches for medical devices. As a result, this makes it much more difficult to implement a process of laws and regulation going forward. Currently, the FDA does not require a security assessment during the pre-market submission process for a device. However, the FDA has been more active in this space by issuing warnings to the public and providing frameworks for device manufacturing companies to follow.
What Did We Learn
Throughout this project and our research, we learned that it is not very hard to hack into a medical device such as an insulin pump or implantable cardiac defibrillator as long as you understand how the device works and you have the right software to do so. We also realized that it’s not just about the device being hacked, there are many other multiple issues surrounding security breaches with medical devices.
We must consider topics such as data security to protect patient data stored on medical devices, but we must also consider device security to protect the manufacturer’s code that is driving the functionality of the device. Overall, we realized that medical device hacking is much closer of a reality than we think as we look into the future with ideas such as IoT, data management and security.
Future Research & Next Steps
Our future research on this project would be to consider the following topics & ideas:
- What is the perspective and impact of the doctor and the US healthcare system within the medical device hacking space? Do doctors influence patients to select a certain medical device similar because of monetary incentives similar to how some doctors prescribe drugs from specific pharma companies? How does our healthcare system treat the expense and maintenance of medical devices
- IoT: How does the internet of things affect medical devices. What other types of security and software are built on medical devices that prevent data being stolen from the patient
- Are medical devices hacked not to harm the patient, but to steal the code in order to produce a device that is cheaper, thus taking away market share from competitors and reaping the benefits.
I thought your medical device hacking was a solid presentation, especially because it fit so well with my mHealth HIPPA presentation. Easily my favorite part of the presentation was learning that Dick Cheney had to order changes to his pacemaker to better protect it from hackers. Although I think Dick Cheney is a war criminal, I really like his proactive approach to medical device security. I would definitely love to know more about other high-ranking officials that have to implement security to their own medical devices. Great presentation!
ReplyDeleteBenjamin, thank you! I appreciate it! There was another example with a "celebrity" that we did not get to mention which was the episode of Homeland in 2012 where the vice president is assassinated from a fatal heart attack caused by someone hacking his pacemaker (sounds very similar to our story on Cheney). I'm not too familiar with the show, so I didn't really discuss it in during our presentation, but I think it definitely represents another potential real life security scare.
ReplyDeleteIt's because of the show and the publicity that occurred after that airing that alarms went off for the media. It also scared the real Vice President, after hearing about the potential to hack pacemakers.
DeleteThis comment has been removed by the author.
ReplyDeleteThe presentation on medical device hacking helped me in understanding the impact hacking can have on the healthcare payers and providers. As a technology enthusiast I am very much about the end-to-end digitization of the healthcare industry. However, your presentation provided a more lucid picture of the problems that patients and doctors might face if the health industry is completely digitized.
ReplyDeleteThe most inquisitive part about your presentation was the interviews you conducted with industry experts. Adding onto their viewpoint in addition to encryption of data it s imperative that hospital staff is made aware of the potential threats and ways hackers can get into health care information systems. Because hacking generally involves an internal contact who knowingly or unknowingly might share critical information with the hacker.
To conclude, your presentation was very informative and helpful in understanding the threats to Healthcare Information Systems from Hackers.
I really enjoyed your presentation. You both spoke really well and presented interesting topics. Medical hacking of simple devices, like pacemakers, really interested me because I wasn't aware of the potential benefits and consequences associated with this kind of hacking. I had no idea that one device could be hacked with a single flash drive. That's scary. It was also shocking to discover that the FDA does not require a security assessment for devices during the premarket submission period. I agree with both of you that medical device hacking is going to become an increasingly more prevalent issue, but I would like to know more about what type of regulative processes would be needed to ensure security. I found this interesting article that might help you elaborate on this subject. https://www.fda.gov/medicaldevices/digitalhealth/ucm373213.htm
ReplyDeleteGood link. Even though there is no assurance of security, the FDA allows devices to be marketed when there is a reasonable assurance [by those manufacturing those devices] that the benefits to patients outweigh the risks.
DeleteWhen I first heard about this topic I never really thought about people wanting to hack into medical devices because I didn’t really see the point of it. But from your presentation I have learned a lot about the potential dangers of these attacks on medical devices. There definitely needs to be more device security because all of these devices are so easy to hack into. A big takeaway that I got from your presentation was that healthcare payers and providers were dramatically affected as well.
ReplyDeleteI believe that both of you addressed a really important topic and presented it really well. I learned a lot from your presentation as well as your final blog post about something that I knew nothing about.
This topic makes me wonder what the hackers intent is and what they plan to do in the future when they actually are able to hack into a medical device.
It seems that everyone is focusing on pacemakers, but there are many other types of medical devices (e.g., insulin pumps) that you mentioned in your blog (and presentation) which are also at risk. I read the chapter on medical devices in Rosenthal's book (which I read after your presentation) that there are three types of classes: Class 1 included equipment like tongue depressors that required little scrutiny. Devices whose impact was "life-threatening or life sustaining" or that presented "unreasonable risk of illness or injury, and required extensive testing," such as pacemakers were included in class 3. Class 2 devices were those in between, which were governed by a new program called 510(k). To gain access to the market via the 510(k) route, companies had only to claim that their new device was "substantially equivalent" to a product already sold in the U.S. and used for the same purpose. It was obviously far more profitable to be in class 2 - and gain speedy approval through the 510(k) program - than to be in class 3, which required far more testing and red tape.
ReplyDeleteThe surprising result today is that there is generally far less careful scrutiny of new devices than of new drugs, even though most drugs can be stopped at an instant if problems emerge and many devices are permanently implanted in the body. Many devices are not even tested in animals before they are placed in humans; in fact, there are often no clinical trials at all for devices. Thus, when claiming "substantial equivalence" manufacturers don't have to prove that their class 1 and class 2 products are "safe and effective."
One more stat: By 2011 class 2 submissions numbered between 3-4 thousand, but there were only 30-50 class 3 applications. I bring this up to show that without adequate scrutiny is it any wonder that medical devices get hacked! Moreover, pacemakers make up a very small percentage of the medical devices out there.
A great topic. There will be more hacks on devices (and IoT devices). Thanks for this timely and complicated topic discussion.
Can you provide a reference link somewhere? I thought you had it in your first proposal, but I never saw that on your group blog. It might be helpful for those interested in this topic (like me). :)
ReplyDelete