Medical Devices a Scary Cyberthreat


Illustration by BruceBlaus

In a 2012 episode of the TV drama “Homeland,” the Vice President of the United States was assassinated by hackers who tapped into his pacemaker and ramped up the speed of his heart until he had a heart attack. Sounds far-fetched?

It might not be as far-fetched as you’d think. It’s not a new danger. Ten years ago a real life former Vice President of the United States, Dick Cheney, had the wireless capability in his pacemaker turned off. His cardiologist was worried about exactly the kind of scenario that was shown on Homeland.

Earlier this year, the FDA issued a safety alert warning that certain implantable cardiac devices from St. Jude Medical were vulnerable to cyberattack. An exploitable flaw was found in a base station that communicates with the implanted device; the FDA said hackers could gain control of the implanted device through the base station and either drain the battery or send inappropriate orders to the device, either of which could be life-threatening.

Back in October, Johnson and Johnson notified 114,000 diabetics using its Animas OneTouch Ping insulin pump that it could be hacked and the device could be disabled or ordered to deliver incorrect doses of insulin.

In 2015 a security researcher, Billy Rios, needed emergency surgery. He was a little taken aback when he noticed that the drug-infusion pump he was hooked up to was the same model he’d found security flaws in that could be used by a hacker to deliver a fatal dose of drugs. The vulnerabilities he’d found affected at least 400,000 infusion pumps.

Generally speaking, the benefits of connected medical devices probably outweigh the dangers of being hacked into, unless you’re a person that a lot of people might want dead. But it’s worth considering the security implications of being connected to medical devices that can be hacked. Even if you’re not a “person of interest,” anyone can be a victim of ransomware. Ransomware typically takes control of your computer and threatens to destroy your data if you don’t pay up. Is the day coming when we’ll have ransomware that threatens to kill people if they don’t pay up? It’s not an impossible scenario.

Implantable devices need to be small which limits the amount of security technology that can be installed onboard. One would hope that manufacturers of medical devices would be more careful than people in other lines of business, but device manufacturers are driven by the bottom line as much as any other business, and as a result they no doubt don’t always spend as much time, effort, and money on security as they should.

As the stakes become ever higher in the battle against cybercrime, the need for a new paradigm in data security, such as PACid’s Bolt-on Strong Security (BoSS) is ever greater.