Homicide by a Medical Device?

Sir … can we open you up, as we need to apply a software patch to your pacemaker?

Homicide by a Medical Device?

Sir … can we open you up, as we need to apply a software patch to your pacemaker?

Okay. It is a script of a Hollywood movie. A hacker finds a vulnerability in every pacemaker ever produced and has managed to install ransomware on each of them.

He now tells the world that the US Government has two hours to pay 1,000 Bitcoins, or he will trigger the ransomware to stop every pacemaker. Before he does this, he gives all the pacemakers a “jolt” to show his power.

Then, within an action-packed, and tense, 60 minutes, we see a crack cyber team tracing his messages through blog posts and social media activity, and then storm into his Chicago apartment, and disconnect his computer, just as he is about to press a big red button on his desk.

The world has been saved! Families over the world hug each other, and the crack Cyberteam are “high-fived” as they exit the building.

Fiction or possible fact?

The not-so-secure devices

If you are in an industry where a fault can cause serious injury or death, you need to have safety as a top priority. So while there are good standards for mechanical and electrical safety, one must worry that IoT medical devices are still a long way off being completely secure. In fact many medical devices — less than 20% — are not connected to networks due to security risks.

For many years the FDA has been warning the health care industry around the cybersecurity risks of medical devices, such as in 2015, where they highlighted the risks around infusion pumps (see graphic on the right-hand side). We can see that in this recall note that certain codes can be sent to a device that could allow it to act in an unreliable way, and could lead to it being compromised.

While infusion pumps could cause problems, it is devices such as pacemakers which could cause loss of life. So this week the FDA recalled a pacemaker due to non-compliance issues (see graphic on the right-hand side). The pacemaker recall affects 465,000 devices. Luckily there is often a firmware patch which can address issues, but often it can take up to one year for all the devices within a health infrastructure the size of the NHS.

The great worry of the FDA is that only 44% of healthcare organisations and 51% of device manufacturers follow the FSA advice on the cybersecurity risks on devices (advice). A key factor to defend is the segmentation and isolation of medical devices, but it is also important to have a strong approach to locating the devices that are affected and update them.

What can be done?

The Royal Society of Engineering recently defined that medical products need to be ‘secure by default’, and recommend [here]:

  • Mandatory risk management procedures should be considered for critical infrastructure, aligned to industry standards. These should set out guiding principles for cyber risk management during design, operation and maintenance.
  • Supply chain transparency — cybersecurity policies should require that there is transparency throughout the supply chain about the level of cybersecurity provided in products and services.
  • International ‘umbrella agreements’ on IoT — the UK government should work with other governments and international institutions — with the main providers of IoT components, devices and systems — towards ‘umbrella agreements’ that set out an international baseline for IoT data integrity and security for all parties to adopt.
  • Ethical frameworks that are appropriate to support ethical behaviours on IoT should be developed and applied to help minimise risks to society.

Conclusions

We seem to forget that we create IoT devices, and then send them out into the world, and where they will often struggle to be patched. If they are actually physically embedded into someone, the chances of an update might mean that we might actually have to open someone up — and all the risks involved in this — and update the software.

Our devices thus need to be secure by design and secure by test, and fully tested before they ever reach a patient. With 5G we will see a new world being built. Our big clunky devices will be replaced by ones that will be extremely small —almost invisible — but they will be capable for transmitted and received at speeds never thought possible before. It will be a world of smart cities and buildings, but one which could collapse like a line of dominoes, so we need to make sure our devices are designed to the highest levels.

I worry that we just have a design brief and that we do not properly test devices. For me, every medical device should go through stringent tests before it even gets near citizens. This includes using cryptography at level place possible, especially as attackers can often gain hold of the firmware and examine it contents (using tools such as binwalk).