LAS VEGAS – A few years ago the media was inundated with reports that former Vice President Dick Cheney had his pacemaker removed and replaced with a custom, presumably less connected one. The assumed reason for that procedure was to minimize the risk Cheney is exposed to in a world where it is increasingly clear that embedded medical devices can be hacked to catastrophic consequence.
There’s been far too much gloom and doom talk about shadowy hackers walking into a room and using their laptop to deliver a lethal dose of insulin to their adversary. While the scenario is certainly possible, it’s incredibly unlikely. As medical device security expert, type one diabetic, and one-time user of embedded insulin pumps, Jay Radcliffe, noted in a round table discussion on medical device security today at Black Hat, it would be far easier and more likely for an attacker to sneak up behind him and deliver a fatal blow to his head with a baseball bat.
In a discussion fueled primarily by audience engagement, many of whom work in the medical device industry, Radcliffe led the room through a reasonable analysis of the real state of medical device security.
First and foremost, Radcliffe said, the term medical device is about as useful as the term cyber, which is to say it is an incredibly broad umbrella term used to refer to insulin pumps and pacemakers and MRI machines and echo-cardiograms and doctor’s tablets and computers at hospitals running Windows XP and even certain health-related consumer mobile applications and much more.
Radcliffe argued that the hard reality, at this point at least, is that connected medical devices do far more good than harm, though it is certainly possible that that could change.
“Children with type one diabetes don’t go to sleepovers,” Radcliff said. “It’s too risky.”
However, he went on to explain that with a cloud-based insulin monitoring and adjustment application, these kids potentially could go to sleepovers. Connected medical devices have the capacity to normalize lives that would otherwise be hindered by disability.
Furthermore, the risk of medical device attacks are almost entirely dependent on circumstance. While a prominent political figure like Cheney may in fact face real risk, a child with diabetes faces negligible levels of risk.
The real medical device dangers are almost entirely wonky and institutional. Who is responsible for bug management? The answer, thanks to 2009 FDA guidance, is that both the manufactures and the hospitals share the responsibility, which actually makes the problem of implementing patches less clear. Radcliffe explained that if there is a bug in an MRI machine, the hospital will have to pay to have the manufacturer come in and update all the affected machines. Of course, the hospital could install the updates themselves, but they run the risk of losing their warranty. The hospital could also decide they don’t have the budget available to pay to have the patches installed and merely wait.
Another thorny issue is the regulatory environment in which these devices exist. In some cases, device sellers and manufacturers aren’t always sure which regulatory agencies they are beholden to. Some devices are regulated by the FDA, Radcliffe explained, while others could fall under the purview of the FCC or even the DHS.
“I buy used devices online and find all sorts of data that shouldn’t be there,” Radcliffe said, illustrating the lack of enforced regulation and data management.
The devices themselves, medically speaking explained Radcliffe, are incredibly safe. The question is, can apply that safety to the communications security aspect of these devices, which is where the security questions emerge?
Responding to a question from the audience, Radcliffe suggested that the most dangerous threat may very well be the scenario in which an electronic medical record is tampered with or in some way compromised leading to a dramatic and even dangerous change in some form of treatment.