While you might not think that a breach in computer security could have fatal consequences, medical devices with Internet connectivity can indeed put lives at risk if hacked. Devices such as pacemakers, insulin pumps and MRI machines are especially dangerous if tampered with.
Those who wear implantable devices have might have little control over their functionality and are at risk for serious health failures if anyone hacks in to their devices.
Though devices with Internet connectivity provide caregivers and physicians with updated data and, in turn, effective treatment, they must be designed with better security measures to prevent hacking.
The way some medical devices are designed does not bode well for security against hackers. Sometimes these devices are not password protected, contain unchangeable passwords or operate on an easily hackable hospital network.
A device may be constructed and tested time and again to ensure it will function normally in a patient. A pacemaker, for example, is designed with a lithium/iodine battery, lead wires and a motherboard consisting of semiconductors, resistors, capacitors and other circuitry devices.
After these parts are assembled, a pacemaker may undergo precision die casting and will then go through a series of quality control tests. Though a pacemaker can be proven to withstand a range of conditions, it can still be prone to hacking.
Researchers Scott Ervan and Mark Collao recently shared their findings on the ease of hacking some medical devices. Ervan and Callao noted that they found 68,000 medical devices with Internet connectivity that are vulnerable to hacking.
Ervan and Collao found these devices by simply searching keywords in Shodan, a search engine designed to locate Internet-connected devices. They also created decoy MRI and defibrillator machines, which thousands attempted to hack.
Researchers from the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) exposed the dangers of devices designed with unchangeable or hard passwords. These researchers discovered 300 devices with hard passwords.
If a hacker were to obtain access to all of these passwords, he or she could easily log in to these devices and make potentially life-threatening changes.
While the design of medical devices is not yet totally protected from potential hackings, some designers are taking initiative to make their devices as secure as possible.
There is no clear industry standard solution to prevent hacking into medical devices, but there are several steps entities can take in the right direction.
The FDA released security guidelines for manufacturers and health care facilities to consider when designing medical devices with Internet capability. They include:
• Setting unique user ID and password logins for devices
• Avoiding devices with hard passwords
• Restricting software updates with an authentication code
• Monitoring network usage and accessibility
• Updating firewalls and antivirus software
Earlier this year, the FDA issued its first warning against health care facilities using a specific device due to security concerns.
The FDA’s guidelines provide a solid foundation for practitioners and manufacturers alike. Some are taking things a step further and testing these methods. At Rice University, researchers are experimenting with using encrypted heartbeats to secure devices.
With this solution, a device would only reprogram, unlock or update after recognizing a specific heartbeat. Doctors would simply have to hold the device near a patient’s heart and it would pick up on his or her heartbeat.
Some manufacturers use hackers when designing a new device. These hackers might pick up on something that the designers would have otherwise overlooked. Though this makes for a more effective device, the industry still has not reached a point where these hackers are not needed in manufacturing devices.
While the industry has not yet devised a clear solution to the danger of medical device hacking, there are a variety of innovative ideas that could provide an answer. In the meantime, individuals should be vigilant about their devices.