HACKING MEDICAL DEVICESBY JENNIFER GROSS

GROWTH OF MEDICAL TECHNOLOGIES

• Medical technologies and computer science continue to mesh

• Pacemakers

• Insulin Pumps

• Defibrillators

• Just as susceptible to hacks and bugs as any other form of technology.

BARNABY JACK

• Renowned white hat hacker for McAfee

• Hacked an insulin pump delivering 300 units of insulin to a mannequin in a matter of seconds.

• Figured out how to hack pacemakers from up to 500 feet away

http://www.youtube.com/watch?v=YJ8PZeRwweA

FDA’S ROLE

• Responsible for evaluating all new medical devices and risks associated with them

• Seldom will examine new devices prior to them being surgically implanted unless:

• Repeated malfunctions

• Recalled

OTHER ORGANIZATIONS INVOLVED

• Center for Medicare and Medicaid Services (CMS)

• Food and Drug Administration (FDA)

• Department of Health and Human Services (HHS)

• Department of Defense (DoD)

• Department of Veterans Affairs (VA)

• Department of Homeland Security (DHS)

POLITICS….

• Economics behind reporting devices with defects

• If a hospital were to file a report of an incident with one of the medical devices, the hospital is liable

• Disincentive for notification

• False sense of security

• Lack of preparedness for any cyber security issues

ENCRYPTION AND OTHER PROTECTIONS

• All models of the various medical devices have the capability to use Advance Encryption Standard (AES)

• Numerous backdoors to these devices

• Backdoor could “at least have it been embedded deep inside the ICD core”

LEGAL HELP?

• Product Liability

• Riegel v. Medtronic, Inc.

PROPOSED SOLUTION

• Software Freedom Law Center (SFLC)

• Publicly auditable source-code

OPTIONS

• Use with risks of what can happen

• Don’t use it at all

REFERENCES

• Fu, Kevin and James Blum. "Inside Risks: Controlling for Cybersecurity Risks of Medical Device Software." n.d. Computer Science Laboratory - SRI International. 20 April 2014. <http://www.csl.sri.com/users/neumann/cacm231.pdf>.

• Goodin, Dan. Insulin pump hack delivers fatal dosage over the air. 27 October 2011. 20 April 2014. <http://www.theregister.co.uk/2011/10/27/fatal_insulin_pump_attack/>.

• Goodman, Marc. Hacking the Human Heart. 23 August 2011. 20 April 2014. <http://bigthink.com/future-crimes/hacking-the-human-heart>.

• Kirk, Jeremy. Pacemaker hack can deliver deadly 830-volt jolt. 17 October 2012. 20 April 2014. <http://www.computerworld.com/s/article/9232477/Pacemaker_hack_can_deliver_deadly_830_volt_jolt>.

• Peters, Jeff. Medical Devices: Death by Hacking and Barnaby Jack. July 2013. 20 April 2014. <http://www.hacksurfer.com/articles/medical-devices-death-by-hacking-and-barnaby-jack>.

REFERENCES

• Radcliffe, Jerome. "Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System." n.d. Black Hat. 20 April 2014. <http://media.blackhat.com/bh-us-11/Radcliffe/BH_US_11_Radcliffe_Hacking_Medical_Devices_WP.pdf>.

• "Riegel VS. Medtronic." n.d. American Association for Justice. Web. 23 April 2014. <http://www.justice.org/cps/rde/justice/hs.xsl/2679.htm>.

• Sandler, Karen, et al. "Killed By Code: Software Transparency in Implantable Medical Devices." 21 July 2010. Software Freedom Law Center. Web. 23 April 2014.

• Storm, Darlene. Pacemaker hacker says worm could possibly 'commit mass murder'. 17 October 2012. 20 April 2012. <http://blogs.computerworld.com/cybercrime-and-hacking/21163/pacemaker-hacker-says-worm-could-possibly-commit-mass-murder>.

REFERENCES

• Talbot, David. Computer Viruses Are "Rampant" on Medical Devices in Hospitals. 17 October 2012. 20 April 2014. <http://www.technologyreview.com/news/429616/computer-viruses-are-rampant-on-medical-devices-in-hospitals/>.

• Tobias, Marc Weber. What's to Stop Hackers From Infecting Medical Devices. 20 April 2012. 20 April 2014. <http://www.forbes.com/sites/marcwebertobias/2012/04/20/whats-to-stop-hackers-from-infecting-medical-devices/>.

• Ungerleider, Neal. Medical Cybercrime: The Next Frontier. n.d. 20 April 2014. <http://www.fastcompany.com/3000470/medical-cybercrime-next-frontier>.

• Zetter, Kim. Board Urges Feds to Prevent Medical Device Hacking. 10 April 2012. 20 April 2014. <http://www.wired.com/2012/04/security-of-medical-devices/>.