Hacking Into Medical Devices
-
Upload
jane-wang -
Category
Technology
-
view
211 -
download
3
Transcript of Hacking Into Medical Devices
HACKING INTO MEDICAL DEVICESJANE WANG
SECTION 2
CYBERSECURITY
• Unauthorized access to data, which are either resident in or exchanged between computer systems
• Attacks on system resources (i.e. computer hardware, operating system software, and application software) by malicious computer programs
• Attacks on computer networks, including infrastructure of privately owned networks and the Internet itself
THE ISSUE
• Medical devices are often connected wirelessly to hospital networks and are therefore vulnerable to cyber attacks
• More than half the devices sold in America rely on software
• So far, no known incidents of a hacked medical device injuring/killing a person have occurred, but research has shown it is possible
PREVIOUS ACCIDENTS - UNINTENTIONAL
• Dozens of cases of viruses infecting computers that control X-ray machines and laboratory equipment
• Bug in the software of a radiotherapy machine caused massive overdoses of radiation to be delivered to several patients, killing at least five
• One in three of all software-based medical devices sold in America between 1999 and 2005 were recalled for software failures
PACEMAKERS
• Small device placed in the chest or abdomen to help control abnormal heart rhythms
• Uses electrical pulses to prompt the heart to beat at a normal rate
• Have wireless transmitters to allow them to be programmed without an invasive procedure
• Allows medical professionals to send pacemakers new instructions
• As of 2013, roughly one million people have pacemakers in the U.S.
PACEMAKERS – THE DANGER
• Due to the convenience of wireless transmitters, security vulnerabilities of remote attacks on the body are now possible
• Allows for hacking through not only a laptop, but also Malware installed on a hospital or company computer that may briefly interact with an implant
• Could infect, reprogram, or command the device to perform a more lethal function
BARNABY JACK
• Discovered a way to hack into a pacemaker via its wireless transmitter and make the device send an 830-volt shock through a person’s body
• Can be done with a laptop from 30 to 50 feet away
• Demonstrated the hack during a talk at Breakpoint security conference in Melbourne, Australia
• Was also able to access personal data stored on implants, such as confidential patient information and the doctor’s name
INSULIN PUMPS
• Device used for administration of insulin in the treatment of diabetes
• Many insulin pumps are now wireless
• Allows the patient to check on the pump’s status and activity
• Allows for control of the dosage administered
• As of 2007, over 400,000 insulin pump users in the U.S.
INSULIN PUMPS – THE DANGER
• Wireless transmitters once again can cause problems, and cause the pump to deliver a deadly dose of the hormone
• Currently there are patents for insulin pumps that can hook up to WiFi and be controlled via a web browser
• Huge potential for exploits, especially since exploits to compromise web interfaces are developed daily
BARNABY JACK
• Also discovered how to hack insulin pumps
• Was able to obtain complete control of all pumps within a vicinity without any prior knowledge of their serial numbers
• Able to cause device to repeatedly deliver its maximum dose of 25 units until the entire reservoir was depleted
• Able to hack pumps from a distance of up to 300 feet using a high-gain antenna
DELOITTE STUDY
• Consultants interviewed representatives from 9 health care organizations
• Majority felt that their organizations had strategies and frameworks for managing cybersecurity risks
• However, many differences in the degree of preparedness and approaches for handling cyberthreats
WHY IS THIS ETHICAL?
• If nothing is done about it, millions of people are put at risk
• However, medical professionals will still be able to change settings without the use of medical procedures, allowing for the patient to carry on through everyday life normally
• If something is done about it, either:
• Research will be conducted to find a safe solution that preserves the patient’s convenience, but in the mean time will people will still be at risk
• Wireless transmitters will be removed, and patients will have to suffer through invasive procedures whenever a change is required
SOLUTIONS
• Encryption
• Problem: Encryption takes up valuable processing time on a device
• Goal: To develop encryption that addresses the cyberrisk without impacting the functionality of the device
• Open-source
• Start making open-source devices, so more people can learn how these devices work
• Allows for more minds to come up with security issues, as well as discover fixes for them
• Currently prohibited for use on live human patients
SOLUTIONS
• Researchers at Rice University have found a way to use a heartbeat reading as a way to confirm that whoever is trying to reprogram or download data from a device is in direct contact with the patient
• Makes it clear if someone is a remote hacker
• This fix could work even in emergency situations where no delay can be tolerated
• Researchers from Princeton and Purdue University have developed MedMon, a prototype firewall
U.S. FOOD AND DRUG ADMINISTRATION
• FDA has released draft guidance for cybersecurity concerns
• New draft lays out specific concerns that must be addressed when applying FDA approval for new devices
• Requires manufacturers to report security breaches, and has called upon them to review and improve their security procedures
• FDA is now developing a cybersecurity laboratory to focus on potential threats to medical devices and systems