Hacking Medical Devices
description
Transcript of Hacking Medical Devices
HACKING MEDICAL DEVICESBY JENNIFER GROSS
GROWTH OF MEDICAL TECHNOLOGIES
• Medical technologies and computer science continue to mesh• Pacemakers• Insulin Pumps• Defibrillators
• Just as susceptible to hacks and bugs as any other form of technology.
BARNABY JACK
• Renowned white hat hacker for McAfee• Hacked an insulin pump delivering
300 units of insulin to a mannequin in a matter of seconds.• Figured out how to hack
pacemakers from up to 500 feet away
http://www.youtube.com/watch?v=YJ8PZeRwweA
FDA’S ROLE
• Responsible for evaluating all new medical devices and risks associated with them• Seldom will examine new devices prior to them being
surgically implanted unless:• Repeated malfunctions• Recalled
OTHER ORGANIZATIONS INVOLVED
• Center for Medicare and Medicaid Services (CMS)• Food and Drug Administration (FDA)• Department of Health and Human Services (HHS)• Department of Defense (DoD)• Department of Veterans Affairs (VA)• Department of Homeland Security (DHS)
POLITICS….
• Economics behind reporting devices with defects• If a hospital were to file a report of an incident with one of the medical
devices, the hospital is liable
• Disincentive for notification• False sense of security• Lack of preparedness for any cyber security issues
ENCRYPTION AND OTHER PROTECTIONS
• All models of the various medical devices have the capability to use Advance Encryption Standard (AES)• Numerous backdoors to these devices• Backdoor could “at least have it been embedded deep inside the ICD
core”
LEGAL HELP?
• Product Liability
• Riegel v. Medtronic, Inc.
PROPOSED SOLUTION
• Software Freedom Law Center (SFLC)• Publicly auditable source-code
OPTIONS
• Use with risks of what can happen
• Don’t use it at all
REFERENCES
• Fu, Kevin and James Blum. "Inside Risks: Controlling for Cybersecurity Risks of Medical Device Software." n.d. Computer Science Laboratory - SRI International. 20 April 2014. <http://www.csl.sri.com/users/neumann/cacm231.pdf>.
• Goodin, Dan. Insulin pump hack delivers fatal dosage over the air. 27 October 2011. 20 April 2014. <http://www.theregister.co.uk/2011/10/27/fatal_insulin_pump_attack/>.
• Goodman, Marc. Hacking the Human Heart. 23 August 2011. 20 April 2014. <http://bigthink.com/future-crimes/hacking-the-human-heart>.
• Kirk, Jeremy. Pacemaker hack can deliver deadly 830-volt jolt. 17 October 2012. 20 April 2014. <http://www.computerworld.com/s/article/9232477/Pacemaker_hack_can_deliver_deadly_830_volt_jolt>.
• Peters, Jeff. Medical Devices: Death by Hacking and Barnaby Jack. July 2013. 20 April 2014. <http://www.hacksurfer.com/articles/medical-devices-death-by-hacking-and-barnaby-jack>.
REFERENCES
• Radcliffe, Jerome. "Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System." n.d. Black Hat. 20 April 2014. <http://media.blackhat.com/bh-us-11/Radcliffe/BH_US_11_Radcliffe_Hacking_Medical_Devices_WP.pdf>.• "Riegel VS. Medtronic." n.d. American Association for Justice. Web. 23 April 2014.
<http://www.justice.org/cps/rde/justice/hs.xsl/2679.htm>.• Sandler, Karen, et al. "Killed By Code: Software Transparency in Implantable Medical Devices." 21
July 2010. Software Freedom Law Center. Web. 23 April 2014.• Storm, Darlene. Pacemaker hacker says worm could possibly 'commit mass murder'. 17 October
2012. 20 April 2012. <http://blogs.computerworld.com/cybercrime-and-hacking/21163/pacemaker-hacker-says-worm-could-possibly-commit-mass-murder>.
REFERENCES
• Talbot, David. Computer Viruses Are "Rampant" on Medical Devices in Hospitals. 17 October 2012. 20 April 2014. <http://www.technologyreview.com/news/429616/computer-viruses-are-rampant-on-medical-devices-in-hospitals/>.• Tobias, Marc Weber. What's to Stop Hackers From Infecting Medical Devices. 20 April 2012.
20 April 2014. <http://www.forbes.com/sites/marcwebertobias/2012/04/20/whats-to-stop-hackers-from-infecting-medical-devices/>.• Ungerleider, Neal. Medical Cybercrime: The Next Frontier. n.d. 20 April 2014.
<http://www.fastcompany.com/3000470/medical-cybercrime-next-frontier>.• Zetter, Kim. Board Urges Feds to Prevent Medical Device Hacking. 10 April 2012. 20 April
2014. <http://www.wired.com/2012/04/security-of-medical-devices/>.