Across all industries smart devices are becoming the norm. This is increasing opportunity for hackers to steal data, make money, and wreak havoc. Among the most useful, yet dangerous, of these smart Internet of Things devices are medical device implants. Such implants ensure hearts keep beating at the right rhythm, sugar levels are balanced in diabetics, or amputees have use of a new right arm. To improve the functionality, efficiency, and effectiveness of these devices, many are networked and can be adjusted without having to directly touch the device. While this provides a huge benefit, it also opens the patient up to increased risks of being hacked and manipulated.
Last week the Department of Homeland Security issued a security advisory regarding two critical vulnerabilities in twelve Cardioverter Defibrillators, implants that shock a patient’s heart back into a normal heartbeat. If hackers were so inclined, they could exploit these vulnerabilities and impact the devices’ functions. Such exploitation could result in failure of the device to perform its duties or the theft of data transmitted by the device. In some cases, device failure could certainly result in death.
So why would hackers even want to hack such a device in the first place? It’s true that such attacks are unlikely to be regular occurrences, both due to hackers generally not seeking to do physical harm to people and the fact that such hacks require close access to the device being hacked. But in some circumstances hackers may have a vested interest and motivation. Consider the following three scenarios:
- A high profile individual with an implant who is being targeted by a foreign government – whether for assassination or simply to gather personal information used for intelligence purposes.
- Hackers who take a page out of the ransomware playbook and seek to hijack your device and hold it ransom until you pay.
- Personal data generated by the device is stolen and sold on dark web markets for identity theft purposes.
Each of these are not outside the realm of possibility and show that really anyone could be a target. For individual patients, there is little that can be done to protect oneself from such an attack. You really are relying on the low likelihood of it ever happening. However, putting pressure on manufacturers, hospitals, and doctors to ensure secure devices is an impactful action one can take.
Manufacturers hold the primary responsibility for securing smart medical implants. As part of the development and production cycle, they need to include multiple levels of security checks, including regular code review and pen testing. It is also wise to ensure communication between the device and the server is encrypted.
Advances in these medical technologies is extremely helpful and are saving lives, but, like anything, there are risks. Understanding these risks enables us to make more informed choices and to demand that companies producing these devices and hospitals are ensuring they are secure and safe to use.