A heart defibrillator remotely controlled by a villainous hacker to trigger a fatal heart attack? Yes now its possible, The Government Offices have released a report warning that medical devices are vulnerable to hacking and calling for greater oversight of such devices.
The investigation into electronic medical-device safety was initiated after computer-security researchers found dangerous vulnerabilities in insulin pumps. “Even the human body is vulnerable to attack from computer hackers,” Representative Anna Eshoo, a Democrat from California, said in a statement on her website. Preventing potential hacking it might seem as simple as requiring a password for access. The operating systems that hospitals use are an even bigger challenge.
Barnaby Jack, who worked separately as a professional hacker for McAfee, both demonstrated ways to manipulate the wireless capabilities on devices made by Minneapolis-based Medtronic Inc. (MDT) to remotely take over the pumps and dispense fatal doses of insulin. Earlier research bolstered their claims. A 2008 study from a consortium of academics found that a popular pacemaker- defibrillator could be reprogrammed to deliver deadly shocks. According to a 2011 report from the World Society of Arrhythmias, in just one year, 2009, 133,262 defibrillators were implanted in patients in the United States 434 devices for every million people and that’s just one device for one condition.
To address security issues, it is essential to develop and implement a more comprehensive plan to assist in enhancing review and surveillance of medical devices that more fully incorporates information security into these devices.
In, my previous article, I discussed about the threats posed to the medical devices and the patients wearing those devices. These threats could be multifaceted. Is the software protected inside a micro-controller? How can access to device hardware be eliminated to prevent hacking? Is there a way to detect software code modification?
Most modern medical devices make use of flash memories to store software code. To protect the code, designers must implement techniques to prevent unauthorized modification of code. Various authentication mechanisms should be in place to for the access to the software code while it is still in development phase so that it may not fall in the wrong hands and also to avoid any modification to the code by an unauthorized entity. The software code should be properly tested and debugged before implementing it in the device hardware. Also, code developers and device manufactures can work together to impart erase protection capability for the code in the medical devices.
The patient data or records that is being stored by the medical devices should be encrypted to provide confidentiality. Also, any communication link between devices such as a wireless link, should be secured by using public key/private key mechanism to prevent eaves-dropping by hackers. In this step, researchers have developed a prototype firewall. It triggers response mechanisms that could warn the user or jam the malicious communication. But it is in early phases only and far from complete. There are many considerations. One is that the software that is used in mobile devices or other personal computers etc. can not be used for medical devices due to extreme computations that needs to be done it becomes too large and consumes more battery for such computations which should not be the case for a patient wearing a life saving device that runs on batteries.
Researchers are also digging into sensors that can uniquely identify a person by gathering medical data from the persons body and thus responding only to the person, thus removing a possibility of any access by the hackers.