Why Hackers Exploit Implantable Medical Devices

The rise of the digital age has led to an increase in electronic medical data and technology. The healthcare industry continues to become more reliant on digital health information. 

It allows for efficient care since health professionals can easily access medical records. It also helps them administer treatment to patients.

But medical technology also poses a security concern because it’s hackable. Out of almost 32 million patient record breaches in the first half of 2019, hacking was the cause of 60%.

Hackers actively target and prefer attacking healthcare organizations. But they may also target patients who use the devices given to them, including the internal ones.

What are Implantable Medical Devices?

Implanted medical devices are objects fixed into the body to assist with function. Their wireless communication connects patients to health professionals, relaying vital patient data. They may also administer treatment or doses of medicine.

They often lack adequate security because their wireless antennas don’t encrypt data. This increases the likelihood of a hack.

 
Implanted Medical Devices.png
 

But what does an attack on an implanted medical device mean for a patient, and why is it significant? 

While many medical hacks result in exposed PHI, this type has the potential to be fatal for patients.

Once inside a device, attackers are in control of a patient’s life. At any point they can adjust treatment and lethally harm a subject.

These Devices Have Vulnerabilities

The first warning of these insecurities came from hackers themselves. Three ethical hackers exposed vulnerabilities to different forms of implantable medical devices. 

As a diabetic, Jay Radcliffe wanted to know the vulnerabilities of his insulin pump. So he tried hacking his pump and found out that it wasn’t difficult. Once he took control over the pump, he could alter doses.

One hacker revealed that it's possible to send lethal electric shocks through pacemakers. Another demonstrated that hackers could administer improper drug doses via drug infusion pumps.

These vulnerabilities quickly got the attention of the government. The US Food and Drug Administration (FDA) has since issued cybersecurity guidance and concerns for these devices.

But other devices still contained vulnerabilities so the FDA had to release warnings and recalls.

Hospira Inc.

This was the first medical device that the FDA advised against using due to its cybersecurity vulnerabilities.

Hospira Inc’s Symbiq Infusion System administered medication to a patient’s bloodstream. The goal was to reduce medication errors, but instead, it experienced cybersecurity risks.

Users could hijack the device and control the patient’s system through hospital network access. This allowed them to alter the pump’s dosage at will.

In 2015, the FDA asked hospitals to stop using this system altogether.

St. Jude Medical

The next year, the FDA recalled 465,000 of St. Jude Medical’s implantable cardiac pacemakers. The device was vulnerable to hackers draining the battery or adjusting the heartbeat.

Instead of removing the patients' pacemaker, St. Jude Medical developed a firmware update. This FDA-approved update had increased security to reduce the risks of unauthorized access.

There hasn’t been any word of this since the firmware update. Good news for patients with this pacemaker.

Medtronic

Medtronic experienced a similar threat to St. Jude’s pacemaker in March of 2019. Its cardiac devices connected to wireless telemetry technology.

The technology would read and send data to patients' physicians using in-home systems. It allowed doctors to remotely monitor heart health.

 
List of recalled MiniMed devices provided by the FDA.

List of recalled MiniMed devices provided by the FDA.

 

In June 2019, Medtronic faced another recall from the FDA. Medtronic MiniMed insulin pumps sent insulin to patients continuously or in surges around mealtime. The FDA warned that someone nearby could connect to the device over a wireless connection. Once in the device, they could change the dosage settings.

Medtronic listed eleven different insulin pumps that had the vulnerability and replaced them. At the time of the recall, Medtronic identified around 4,000 active devices and provided alternative pumps.

Luckily, there were no reports of patient harm due to the cybersecurity issue.

Conclusion

All digital information is vulnerable, but a hackers main goal is financial gain. While tampering with an implanted medical device is not an apparent way to make money, the threat still exists.

A majority of health record breaches in the first half of 2019 were a result of hacks. Implantable devices are vulnerable to these hacks due to a lack of proper security.

Creators of these devices must take the proper cybersecurity steps since attacks could threaten patients' lives.

The FDA regulates these devices and gives guidance on cybersecurity for them. But primary responsibility falls on manufacturers. 

Manufacturers must continuously perform risk assessments to track and manage devices’ cybersecurity. Correction or removal of these products is necessary when they detect vulnerabilities. Doing so will mitigate potential harm to patients.