Cyberattacks on medical devices: a matter of life and death

Cyberattacks on medical devices

Once upon a time, medical devices were designed to perform the health-preserving and life-saving tasks required of them. That was all. Implantable cardioverter-defibrillators were designed to regulate the heart rate and prevent cardiac arrest, for example, and CT scanners were designed to provide diagnostic imaging. This was back in a simpler time.

Now medical devices of all types have connectivity that greatly increases their efficiency and functionality, making it much easier for patients to be monitored and treated to be administered. However, this connectivity also makes these devices vulnerable to hackers and cyberattackers, and many would be shocked to know just how devastating the consequences could be, which is why medical device design needs to start taking security just as seriously as it takes its core functionality.

Denial of life-saving services

The stark and surprising risks associated with connected medical devices are well illustrated by the example of implantable cardioverter defibrillators, or ICDs. As touched on above, ICDs are implanted in order to keep a person’s heartbeat regulated and to deliver a life-saving shock in patients who are at high risk of cardiac arrest.

It’s hard to believe we’re at a point where the world of common and destructive cyberattacks and medical devices collide, but ICDs are potentially susceptible to a form of cyber attack closely related to DDoS attacks. Instead of using a network of Internet-connected devices to overwhelm a target, an attack on an ICD would require just one internet connection.

With the right technical know-how, an attacker could use the long-range communication protocol that is in place to ensure communications between the device and the device programmer to send an activation message to the device (the message is the same for all ICDs) and leave it in standby mode as long as possible before repeating the process in order to wear down the battery and render the device useless long before it would be suspected a battery change is in order. This could leave it without the power necessary to perform a lifesaving task when it’s needed.

Insulin overload

In October 2016, the makers of an insulin pump took the novel step of notifying customers of a potential security vulnerability. At the time, the Animas OneTouch Ping was a popular insulin pump that allows patients to manage their insulin levels with a wireless glucose meter remote. After receiving information about the vulnerability, Johnson & Johnson and Animas warned customers that an attacker, even a remote attacker, could potentially trigger insulin injections by spoofing the meter remotely, with the risk of ultimately causing a hypoglycemic reaction in the patient – a serious health risk for someone with diabetes.

The reason this vulnerability existed is that the OneTouch Ping did not use an encrypted communication protocol. The OneTouch Ping is no longer available.

Radiation danger

Medical imaging devices are also at risk of cyber interference, the type that could cause patients serious harm. A research team at the Ben-Gurion University of the Negev in Israel found that CT scanners are the most vulnerable when it comes to attacks, and this is because of the configuration file used to control how the scanner operates – including how much radiation it emits.

The researchers found that it could be possible for attackers to increase the level of radiation emitted during a scan to the point that it could cause illness, injury, or possibly even radiation overdose to a patient. The team also found that it could be possible for attackers to mix up imaging results, thereby causing a patient to not receive essential treatment, or conversely to receive treatment that is unnecessary.

The future of medical devices

As science and technology improve, the medical devices of even the near future will be able to accomplish things we would’ve thought impossible a decade ago. Even so, some of the most important technological advances will have to come in the form of improved security. Whether it’s better to alert systems that can identify deviations from normal processes, a tighter focus on encryption or other secure means of wireless or long-range communications, or protection against attack variations that haven’t yet come to life, the manufacturers of medical devices have their work cut out for them. Here’s hoping they’re up to the challenge.