From pacemakers to smartwatches, we’re increasingly becoming a cybernetic species. That’s why recent headlines about vulnerabilities in implanted medical devices might set off alarm bells. Can your grandfather’s pacemaker really be hacked and, if so, what’s the real-world risk?
It’s a timely question. Yes, there are significant changes in medical technology afoot—implantable devices can now communicate wirelessly, and the coming medical Internet of Things (IoT) is bringing with it various wearable devices to keep healthcare providers and patients more connected. But a major medical device manufacturer has made headlines with not one, but two critical security vulnerabilities.
Vulnerabilities Highlight Hacking Risks
This past March, the Department of Homeland Security warned that hackers could wirelessly access implanted pacemakers made by Medtronic. Then, just three months later, Medtronic voluntarily recalled some of its insulin pumps for similar reasons.
On the surface, this is terrifying, but it might not be quite as bad as it sounds. Hackers can’t access implanted pacemakers from some remote terminal hundreds of miles away or conduct broad-scale attacks. To hack one of these pacemakers, the attack has to be conducted in close physical proximity to the victim (within Bluetooth range), and only when the device connects to the Internet to send and receive data.
While unlikely, the risk is real. Medtronic designed the device’s communication protocol so that it doesn’t require any authentication, nor is the data encrypted. So, anyone sufficiently motivated could change the data in the implant, potentially modifying its behavior in a dangerous or even fatal way.
Like the pacemakers, the recalled insulin pumps are wirelessly enabled to connect to related equipment, like a metering device, that determines how much insulin gets pumped. This family of insulin pumps also don’t have built-in security, so the company is replacing them with a more cyber-aware model.
The Industry Is Playing Catch-Up
At first glance, it might appear Medtronic is the poster child for clueless and dangerous security (the company didn’t respond to our request for comment on this story), but it’s far from alone.
“The state of cybersecurity in medical devices is poor, overall,” said Ted Shorter, Chief Technology Officer at IoT security firm Keyfactor.
Alaap Shah, a lawyer who specializes in privacy, cybersecurity, and regulation in health care at Epstein Becker Green, explains: “Manufacturers have not historically developed products with security in mind.”
Read the remaining 22 paragraphs
Source : Can Pacemakers (and Other Medical Devices) Really Be Hacked?