In the world of hypothetical cybercrime, not much is scarier than the hacked medical device. Compromised pacemakers played a central role last year in an episode of Homeland and provided a macabre sidenote to this year’s Black Hat conference for hackers. It wasn’t science fiction: There’s ample evidence that it’s possible to seize control of such implants from a distance. There’s just no evidence that’s ever happened.
Still, regulators and computer security experts are dedicating a fair amount of attention to warding off such threats. On Thursday, the Center for Internet Security, a nonprofit group that advises government agencies and private companies, said it was beginning work on a set of guidelines for medical devices, beginning with insulin pumps. It is soliciting the cooperation of hospitals and device manufacturers through the end of August and plans to issue its guidelines by the end of the year. This follows a warning earlier this summer by the Food and Drug Administration, which alluded to potential shortcomings in medical devices and said it was developing its own guidance on how manufacturers should address them.
Medical hacking entered the public eye in 2011, when hackers began showing it was possible. Jay Radcliffe, a computer security expert working for IBM (IBM), delivered a presentation at a hacking conference (pdf) showing that he could take control of an insulin pump and manipulate the amount of insulin it provided, potentially killing the user. The revelation led to a spate of angry letters, concerned congressmen, and eventually, the FDA guidelines issued earlier this year. Radcliffe also began working with medical device manufacturers to help secure their products.
New vulnerabilities continue to arise. In June, ICS Cert, part of the Department of Homeland Security, reported that it had found security holes in 300 medical devices being made by 40 different companies, which it declined to name. This summer, Radcliffe returned to Black Hat to discuss medical hacking. Another computer security researcher who had focused on medical devices, Barnaby Jack, was also scheduled to give a presentation about how he had successfully hacked into a pacemaker, but days before the conference Jack was found dead in San Francisco. A medical examiner is still investigating the cause.
In an interview with Vice shortly before his death, Jack said it had taken six months to hack the pacemaker. “It does take a specialized skill, but with more and more security researchers concentrating on embedded devices, the skill set required is becoming more common,” he told the magazine.
Considering the varying rates of technical innovation among hackers, medical companies, and regulators, it’s likely that the health-care industry will always be at least a half-step behind. Meanwhile, as medical devices continue to utilize wireless technology, the manufacturers will continue to face the tension of straddling two worlds, says Chester Wisniewski of Sophos, a security firm. “There are very few security people in the medical device industry, and there are very few medical people in the security industry,” he says.