On Thursday, March 26, Future Tense—a partnership of Slate, New America, and Arizona State University—will hold an event on medical device security and privacy at the New America office in Washington, D.C. For more information and to RSVP, visit the New America website.
Man or machine? The question is becoming harder to answer.
Rapid advances in medicine are increasingly enabling the integration of information technology with biology. Each year, 300,000 Americans receive wireless medical medical devices including implantable medical devices (IMDs) such as cardiac pacemakers, defibrillators, cochlear implants, neuro-stimulators, as well as drug delivery systems such as insulin pumps.* Man and machine are becoming one as tiny computers are increasingly being integrated with our own human physiology.
In the United States alone, more than 2.5 million people rely upon IMDs and like devices to treat conditions ranging from cardiac arrhythmias to diabetes to Parkinson’s disease.* A 2012 study by the Freedonia Group estimated that demand for IMDs in the United States will increase 7.7 percent annually and will grow to a $52 billion business in 2015.
Initially, IMDs were stand-alone devices that did not frequently communicate with the outside world. Today, however, many are equipped with wireless technologies that allow for direct communication between the IMD and a base station controller. These systems forward physiological information from the IMD to the patient’s physician for the purposes of monitoring and management. Some systems, like blood glucose monitors, are send-only. But others, such as implantable cardiac defibrillators, are bidirectional and allow commands to be sent from a local controller to the IMD, causing the device to take a particular action, such as shocking the heart.
There’s no question that the overwhelming majority of IMDs will heal and save untold lives, but could they also cost them? I’m not talking about device malfunctions, though they warrant attention. I’m concerned about the fact that little if any consideration has been given to the criminal opportunities created by these new technologies—even after the Department of Homeland Security issued an alert advising medical facilities that more than 300 devices from 40 different vendors had vulnerabilities that could readily be exploited by those with ill intentions.
Time and again, criminals and terrorists have proven extremely adept at subverting new technologies. Desktop computers have been targeted by computer viruses, credit card cryptographic algorithms have been reversed-engineered, mobile smartphones are increasingly infected with malware, and insurgents in Iraq successfully intercepted the video feed on a U.S. Department of Defense Predator drone.
It only makes sense then that hackers will turn their attention to IMDs—and sadly, it shouldn’t prove too difficult for them. Though no known criminal attacks against IMDs have been uncovered so far, we can and should fully expect that organized crime will turn its attention to the computers inside of us, whether for financial gain, for attention, or simply to cause fear. Some of these incidents may just be potentially run-of-the-mill cyber attacks: Just as a scripted botnet attack can commandeer your computer, your mobile phone, and even your refrigerator, so too may it ensnare your pacemaker. Hacked medical devices might just look like any other available IP address on the Internet of Things, and once your implanted defibrillator or diabetic pump has been infected, the spam it has been ensnared into sending might well drain the very limited and precious battery life desperately needed to regulate your heartbeat and insulin dosages, requiring surgical intervention for replacement.
Many of the underlying communications technologies utilized by IMDs are notoriously insecure. Using a variety of attack methodologies, researchers have already been able to change IMD device settings, disable therapies, and even deliver an unnecessary command shock to an implanted pacemaker-defibrillator. Though these devices have been successfully compromised by both researchers and hackers alike, thus far there have been no documented cases of an actual criminal attack against an IMD “in the wild”—of course, it will just be a matter of time.
One hacker, known as Barnaby Jack, demonstrated a device at a hacker conference in 2011 that he devised to locate and compromise one brand of insulin pumps within a 300-foot radius. The device allowed Jack to remotely and instantaneously release an amount of insulin almost certain to result in death without immediate treatment.*
For the first time in the history of humanity, the human body has become subject to cyber attacks. The more we implant tiny computers inside ourselves to monitor and improve our health, the more we create opportunities for others to hack into our bodies and subvert these machines for any number of criminal offenses, with homicide being the most obvious concern. As I mentioned, a remote directive transmitted over the Internet could cause command shock to be issued to a pacemaker resulting in sudden death. Once an organized crime group obtained access to this type of device, they could send an extortion email advising a victim that they had one hour to transfer funds to an overseas bank account or face a fatal electric shock.* (The assassination of a vice president via medical device on Homeland: not so far-fetched!)
Moreover, as growth of IMDs increases to a more significant percentage of the population, it would be possible to target not just one person, but entire groups of individuals with a given IMD. For example, a sufficiently powerful electromagnetic pulse could cause harm to large number of individuals with IMDs and instructions for building an EMP generator are widely available on the Internet. In addition, a criminal or terrorist organization could launch a widespread critical infrastructure attack against hospital control systems and IMDs. According to researchers at the Oak Ridge National Laboratory, in 2003 and 2009 respectively, the “Slammer” and “Conficker” worms had each successfully infected networked hospital systems responsible for monitoring heart patients. Since the days of Slammer and Conficker, malware has since become even more sophisticated, and a Trojan with a specifically engineered piece of malicious code, could cause harm to numerous patients around the world simultaneously.
While a small community of researchers, and even some government regulators, such as the FDA and FTC, have begun to pose important questions about the privacy and security implications of incorporating computer technology into biological systems, so far law enforcement and criminal justice authorities have been mostly absent from any substantive conversations. Yet given the rapidly increasing number of medical devices implanted each year, it is just a matter of time before more and more of these patients eventually die. When they do, they and their IMDs will arrive at the office of a medical examiner tasked with determining the cause of death.
When the deceased begin to arrive, how will a coroner go about determining the cause of death? Did the person with the pacemaker die of natural causes? Was this an accidental death due to a device malfunction? Was the device specifically targeted for criminal purposes? Was this a suicide wherein the patient himself subverted his own IMD to end pain and suffering, hoping that his family would receive life insurance funds for his apparent natural death? As modern medicine evolves and the proliferation of IMDs increases, the question must be asked: When the body shows up at the morgue, who will be capable of performing the autopsy?
Few if any police officers, prosecutors, or coroners have studied biomedical engineering. It is also true that few biomedical engineers or physicians have studied computer forensics or criminal justice. As increasing numbers of patients with IMDs arrive at the medical examiner’s office, there will be a need for both skill sets. Trained police investigators and coroners will need to rely upon biomedical engineers for their expertise in attempting to determine a cause of death. Conversely, device manufacturers and research scientists have limited understanding of the types of forensic evidence that would be required from an IMD to support a successful prosecution and conviction in case of criminal tampering.
It’s only a matter of time before the hacking of implantable medical devices leads to a death. The time to plan for and prevent such eventualities is now.
Correction, March 17, 2015: This article originally misstated that insulin pumps are implanted medical devices. Insulin pumps are not permanently implanted. (Return.) It also misstated that a hacker known as Barnaby Jack demonstrated a Bluetooth device that allowed him to hack an insulin pump so it would release a 45-day supply of insulin at once. Barnaby Jack’s device did not use Bluetooth. Additionally, insulin in a pump should typically be changed after a week or less, so pumps hold much less than a 45-day supply. (Return.)