by: Katherine Stenger
The withholding of a pacemaker shock after cardiac arrest. The delivery of an extremely high dose of insulin. The prevention of access to medical files in an emergency room. All three of these potentially fatal situations can be created with simple hacks to extremely vulnerable medical devices.
For a growing number of hospital patients, the chance of having a life-saving medical device hacked has increased in conjunction with the rise of software based medical technology. While this is truly a chilling new reality, it is not a surprising one. According to health care security researcher Dr. Nina Alli, hospitals are among the fastest facilities to adopt new technology, but are also some of the slowest environments to also bring in proper malware defense measures. Thankfully, due to the recent legalization of hacking-based research on devices within hospitals, Alli and her company, BioHacking Village, have used unconventional methods to make their own headway in the field. Through public engagement, BioHacking Village hopes to help expose system weaknesses within medical devices that have the potential to affect millions of patients each and every year.
As hospitals have become increasingly digitized, code-based, and internet connected, their vulnerability to hacking is thought to have increased as well. Reports of hackers holding digital medical files hostage until a ransom is paid have surfaced within the last year. Similarly, incidences of pacemaker hacks that withhold shocks after cardiac arrest have grown in number. Beyond very dramatic and high profile situations such as these, the full scope of what devices have the potential to be hacked is relatively unknown. Until 2016, it was actually illegal for researchers to test security features of medical technology through lab based “cracking” (intentional hacking by tech companies themselves to test system durability), making understanding the precise vulnerabilities of the devices, and their solutions, extremely difficult.
As an advocate for medical device security, health care researcher Dr. Nina Alli has stationed herself with information on the epidemic at a small booth housed at the annual Las Vegas hacking convention, DEF CON. The popular event has over 30,000 annual participants and draws those who are considered to be the best professional hackers from around the world. At events like this, many industries allow, and even incentivise, the hacking of their devices and web systems. Participants are observed, their hacks noted, and updates made to further secure the software. Unfortunately, companies tied to production of systems or devices directly related to hospitals have not been able to participate in this same research method due to legal issues, as well as lack of financial support. However, with the recent legalization of medical device hacking, as well as full support and financial backing from ten major medical device manufacturers, Alli hopes that BioHacking Village will be able achieve the same research other industries have had access to for years.
With its new funds, BioHacking Village has physically expanded at DEF CON. Participants now have the opportunity to become immersed in a simulation hospital filled with hundreds of medical devices, and can work together to disable as many medical devices as they can. Alli hopes that the full scope of hospital vulnerability will be exposed and further understood through this research project.
Alli also mentions hacking based research is not the only way for the medical world to protect its patients. According to research conducted by BioHacking Village, those installing and using devices regularly are not often aware of how to activate device security features, therefore medical professionals themselves should also be trained in device security. In this sense, doctors, nurses, and others working in hospitals are a “first line of defense” of medical device security.
While BioHacking Village has helped the medical world make strides in device security, patients who already rely on much older devices are still at risk for hacks. Current research can only help medical device developers make improvements in devices for future patients, and those who have older implants are not always in a position to receive a new one. The group hopes to also address this quandary in future research projects.
New medical devices have the opportunity to help save millions of patient lives. That being said, device security must also match the rapid evolution of medical technology in order to protect the lives of the most vulnerable. Through the bolstering of device security itself, and through the proper technology training of medical professionals, an untold number of lives have the chance to be saved in the years to come.