by Craig Klugman, Ph.D.
In the last few weeks, a major malware attack (WannaCry) paralyzed computers around the world, including electronic health records at the UK’s National Health Service and at hospitals throughout the world. Hacking is a growing problem that can cripple computer systems and even household appliances. Consider that in October 2016, an internet attack came from web-enabled residential devices (cameras, refrigerators, virtual assistants, thermostats, all of which are part of the internet of things) that crippled major websites. Rogue code was placed into these devices where it stayed unnoticed until the signal to attack was given. Most of these devices do not have anti-virus software or any protection other than a password, which most people never change from the factory chosen one. Your home devices, your car and your computer may not be your only hackable tech. A new study shows that modern pacemakers are quite susceptible to hacking.
In January 2017, the FDA released a communication warning that certain RF (radiofrequency) enabled pacemakers could be hacked. These devices are convenient as physicians can monitor them through telemetry and adjust the settings, update the software, and patch security holes without fiddling with the device itself (which is implanted internally in your body). Some devices even connect to your doctor over Wi-Fi. However, these devices lack the security that even an inexpensive PC has, meaning that users can easily use it in the same way as the internet of things attack, or even to cause harm to a particular person.
In Seasons 2, episode 10 of the Showtime series Homeland (2012), the fictional vice president of the United States is assassinated when terrorists hack his pacemaker. While this might seem farfetched and fictional, consider that in 2013, former U.S. Vice President Dick Cheney was so fearful that his pacemaker could be hacked by “terrorists” that he had the wireless feature disabled. In 2008, researchers hacked a defibrillator in a lab to see how easy the process was. In 2015, a hospital was victim to hacking of its patients’ implantable cardiac defibrillators.
It’s not just the pacemaker, but also insulin pumps. In 2012, a researcher hacked his own insulin pump to show that it could be done. Something similar was behind a series of murders in the fictional novel Cell (2014) where an artificial intelligence killed off patients that it decided would require too many health care resources. Other medical devices that could be targeted for hacking include cochlear implants, glucose monitors, and deep brain stimulators, to name a few.
The federal government acknowledges this risk. A 2012 US Government Accountability Office report stated: “Medical devices may have several such vulnerabilities that make them susceptible to unintentional and intentional threats, including untested software and firmware and limited battery life. Information security risks resulting from certain threats and vulnerabilities could affect the safety and effectiveness of medical devices.”
All of which begs the question, how do we secure these devices? One possibility is to require passwords to access these devices just as is there is for most other wireless technologies. However, finding that password could slowdown treatment in a medical emergency while health care personnel have to go through records to find the correct phrase. One suggestion is that there be a password QR code that would be tattooed on the patient and could be scanned quickly and easily in the event of an emergency. The tattoo could be printed in ink that is only readable under a blacklight to protect patient privacy. Another possibility is to use a person’s unique heartbeat as a password in the same way that a fingerprint can unlock your mobile phone. Another option would be to have a cryptographic key that is necessary to access the device and could be worn as jewelry or kept in a safe place. This solution is a risk because such keys cannot be replaced if lost, necessitating a replacement of the actual device (i.e. surgery).
Other suggestions including a “handshake” that can authenticate the device and the transmitter, ensuring an encrypted connection and only allowing access when the device is near another specific device, or in a certain geographic area, or even having an RFID guard to prevent radio emissions to or from the device . The FDA already requires wireless medical devices to use encryption and authentication to protect patient privacy. However, the agency currently recommends cybersecurity in such devices but does not require it. A cybersecurity review should be required that could include passive and active hacking to see how the device functions to ward off such attacks.
Every patient with a device or who is considering one should ask her/his physician about the cybersecurity protocols. Like most of our connected tools, we also have to accept there is a risk to their use that comes along with the convenience. As part of informed consent, doctors should be discussing cybersecurity along with surgical and other medical risks and benefits. Beyond asking some questions, there simply is not much that a person can do to defend against these black arts.