Hacking Into Medical Devices
-
Upload
jane-wang -
Category
Technology
-
view
211 -
download
3
Transcript of Hacking Into Medical Devices
![Page 1: Hacking Into Medical Devices](https://reader036.fdocuments.us/reader036/viewer/2022081421/55628b1fd8b42ad1688b5654/html5/thumbnails/1.jpg)
HACKING INTO MEDICAL DEVICESJANE WANG
SECTION 2
![Page 2: Hacking Into Medical Devices](https://reader036.fdocuments.us/reader036/viewer/2022081421/55628b1fd8b42ad1688b5654/html5/thumbnails/2.jpg)
CYBERSECURITY
• Unauthorized access to data, which are either resident in or exchanged between computer systems
• Attacks on system resources (i.e. computer hardware, operating system software, and application software) by malicious computer programs
• Attacks on computer networks, including infrastructure of privately owned networks and the Internet itself
![Page 3: Hacking Into Medical Devices](https://reader036.fdocuments.us/reader036/viewer/2022081421/55628b1fd8b42ad1688b5654/html5/thumbnails/3.jpg)
THE ISSUE
• Medical devices are often connected wirelessly to hospital networks and are therefore vulnerable to cyber attacks
• More than half the devices sold in America rely on software
• So far, no known incidents of a hacked medical device injuring/killing a person have occurred, but research has shown it is possible
![Page 4: Hacking Into Medical Devices](https://reader036.fdocuments.us/reader036/viewer/2022081421/55628b1fd8b42ad1688b5654/html5/thumbnails/4.jpg)
PREVIOUS ACCIDENTS - UNINTENTIONAL
• Dozens of cases of viruses infecting computers that control X-ray machines and laboratory equipment
• Bug in the software of a radiotherapy machine caused massive overdoses of radiation to be delivered to several patients, killing at least five
• One in three of all software-based medical devices sold in America between 1999 and 2005 were recalled for software failures
![Page 5: Hacking Into Medical Devices](https://reader036.fdocuments.us/reader036/viewer/2022081421/55628b1fd8b42ad1688b5654/html5/thumbnails/5.jpg)
PACEMAKERS
• Small device placed in the chest or abdomen to help control abnormal heart rhythms
• Uses electrical pulses to prompt the heart to beat at a normal rate
• Have wireless transmitters to allow them to be programmed without an invasive procedure
• Allows medical professionals to send pacemakers new instructions
• As of 2013, roughly one million people have pacemakers in the U.S.
![Page 6: Hacking Into Medical Devices](https://reader036.fdocuments.us/reader036/viewer/2022081421/55628b1fd8b42ad1688b5654/html5/thumbnails/6.jpg)
PACEMAKERS – THE DANGER
• Due to the convenience of wireless transmitters, security vulnerabilities of remote attacks on the body are now possible
• Allows for hacking through not only a laptop, but also Malware installed on a hospital or company computer that may briefly interact with an implant
• Could infect, reprogram, or command the device to perform a more lethal function
![Page 7: Hacking Into Medical Devices](https://reader036.fdocuments.us/reader036/viewer/2022081421/55628b1fd8b42ad1688b5654/html5/thumbnails/7.jpg)
BARNABY JACK
• Discovered a way to hack into a pacemaker via its wireless transmitter and make the device send an 830-volt shock through a person’s body
• Can be done with a laptop from 30 to 50 feet away
• Demonstrated the hack during a talk at Breakpoint security conference in Melbourne, Australia
• Was also able to access personal data stored on implants, such as confidential patient information and the doctor’s name
![Page 8: Hacking Into Medical Devices](https://reader036.fdocuments.us/reader036/viewer/2022081421/55628b1fd8b42ad1688b5654/html5/thumbnails/8.jpg)
INSULIN PUMPS
• Device used for administration of insulin in the treatment of diabetes
• Many insulin pumps are now wireless
• Allows the patient to check on the pump’s status and activity
• Allows for control of the dosage administered
• As of 2007, over 400,000 insulin pump users in the U.S.
![Page 9: Hacking Into Medical Devices](https://reader036.fdocuments.us/reader036/viewer/2022081421/55628b1fd8b42ad1688b5654/html5/thumbnails/9.jpg)
INSULIN PUMPS – THE DANGER
• Wireless transmitters once again can cause problems, and cause the pump to deliver a deadly dose of the hormone
• Currently there are patents for insulin pumps that can hook up to WiFi and be controlled via a web browser
• Huge potential for exploits, especially since exploits to compromise web interfaces are developed daily
![Page 10: Hacking Into Medical Devices](https://reader036.fdocuments.us/reader036/viewer/2022081421/55628b1fd8b42ad1688b5654/html5/thumbnails/10.jpg)
BARNABY JACK
• Also discovered how to hack insulin pumps
• Was able to obtain complete control of all pumps within a vicinity without any prior knowledge of their serial numbers
• Able to cause device to repeatedly deliver its maximum dose of 25 units until the entire reservoir was depleted
• Able to hack pumps from a distance of up to 300 feet using a high-gain antenna
![Page 11: Hacking Into Medical Devices](https://reader036.fdocuments.us/reader036/viewer/2022081421/55628b1fd8b42ad1688b5654/html5/thumbnails/11.jpg)
DELOITTE STUDY
• Consultants interviewed representatives from 9 health care organizations
• Majority felt that their organizations had strategies and frameworks for managing cybersecurity risks
• However, many differences in the degree of preparedness and approaches for handling cyberthreats
![Page 12: Hacking Into Medical Devices](https://reader036.fdocuments.us/reader036/viewer/2022081421/55628b1fd8b42ad1688b5654/html5/thumbnails/12.jpg)
WHY IS THIS ETHICAL?
• If nothing is done about it, millions of people are put at risk
• However, medical professionals will still be able to change settings without the use of medical procedures, allowing for the patient to carry on through everyday life normally
• If something is done about it, either:
• Research will be conducted to find a safe solution that preserves the patient’s convenience, but in the mean time will people will still be at risk
• Wireless transmitters will be removed, and patients will have to suffer through invasive procedures whenever a change is required
![Page 13: Hacking Into Medical Devices](https://reader036.fdocuments.us/reader036/viewer/2022081421/55628b1fd8b42ad1688b5654/html5/thumbnails/13.jpg)
SOLUTIONS
• Encryption
• Problem: Encryption takes up valuable processing time on a device
• Goal: To develop encryption that addresses the cyberrisk without impacting the functionality of the device
• Open-source
• Start making open-source devices, so more people can learn how these devices work
• Allows for more minds to come up with security issues, as well as discover fixes for them
• Currently prohibited for use on live human patients
![Page 14: Hacking Into Medical Devices](https://reader036.fdocuments.us/reader036/viewer/2022081421/55628b1fd8b42ad1688b5654/html5/thumbnails/14.jpg)
SOLUTIONS
• Researchers at Rice University have found a way to use a heartbeat reading as a way to confirm that whoever is trying to reprogram or download data from a device is in direct contact with the patient
• Makes it clear if someone is a remote hacker
• This fix could work even in emergency situations where no delay can be tolerated
• Researchers from Princeton and Purdue University have developed MedMon, a prototype firewall
![Page 15: Hacking Into Medical Devices](https://reader036.fdocuments.us/reader036/viewer/2022081421/55628b1fd8b42ad1688b5654/html5/thumbnails/15.jpg)
U.S. FOOD AND DRUG ADMINISTRATION
• FDA has released draft guidance for cybersecurity concerns
• New draft lays out specific concerns that must be addressed when applying FDA approval for new devices
• Requires manufacturers to report security breaches, and has called upon them to review and improve their security procedures
• FDA is now developing a cybersecurity laboratory to focus on potential threats to medical devices and systems