Can a Hack Give You a Heart Attack?

Implantable medical devices offer great benefits but there are risks.

By Chandra Steele

via PC Mag

This story originally appeared on PCMag

One of the final frontiers of medicine is using technology to solve problems medication and traditional surgery cannot. Implantable medical devices help regulate heart rhythms, steady the tremors of Parkinson's patients and deliver insulin. But how susceptible are they to getting hacked?

When we talk insecure IoT devices, we're usually referring to coffee pots gone rogue and smart speakers commandeered by bots. If the device is inside you, though, you can't just run a security scan or reboot.

The recent WannaCry ransomware, for example, locked down medical records in hospitals, infected MRI machines and hit diagnostic radiology equipment. Had it spread to implantable medical devices, the results could've been deadly.

Insane in the membrane

In deep-brain stimulation (DBS), a neurostimulator is implanted in the brain so that it can help regulate nerve signals. DBS treats symptoms of Parkinson's disease and dystonia, and its use for other diseases -- like Tourette's and obsessive-compulsive disorder -- is being studied.

Last year, researchers from Oxford and St George's, University of London published a study demonstrating how susceptible DBS implantations are to attack, or brainjacking. An attack could turn the device off or wear down its battery, cause tissue damage from over-stimulation, alter behavior and cognition, impair motor function, affect impulse control, cause pain and even change emotions, they found.

"We conclude that researchers, clinicians, manufacturers, and regulatory bodies should cooperate to minimize the risk posed by brainjacking," researchers said.

Pumped-up kicks

Insulin pumps are external, computerized devices that attach to a sub-dermal tube and deliver short-acting doses of insulin to diabetes patients. They free those with diabetes from having to continuously test their blood and inject themselves, and while they are not connected to the internet, they can still be affected by outside interference.

Jay Radcliffe, a security researcher at Rapid7 and a diabetic, found that the wireless remote for his Johnson & Johnson Animas OneTouch Ping diabetes pump communicated in an unencrypted fashion.

"Attackers can trivially sniff the remote/pump key and then spoof being the remote or the pump," he wrote last year. "This can be done without knowledge of how the key is generated. This vulnerability can be used to remotely dispense insulin and potentially cause the patient to have a hypoglycemic reaction."

Radcliffe alerted Animas Corporation, CERT/CC, the FDA and DHS. "Animas has been highly responsive and is proactively notifying users of the devices, and recommending mitigations for the risks," he said at the time.

For now, the benefits of these implantable medical devices outweigh the risk of a cyber attack, Radcliffe told PCMag. It "often requires special equipment and expertise in both computers and medical equipment to compromise these systems," he said. "I think all medical device vendors and operators are taking the situation of cyber security very seriously and are working hard to make sure patients using these devices are safe."

Massive attack

There is perhaps no heart patient as famous as former Vice President Dick Cheney, who has suffered five heart attacks and has at various times had a pacemaker, defibrillator and left ventricular assist device. Because of fears of an assassination attempt, Cheney had the wireless capabilities of his pacemaker turned off, he told 60 Minutes in 2013.

To date, no such attack has been successfully carried out on anyone with an implanted heart device. But in 2012, security researcher Barnaby Jack demonstrated at the BreakPoint security conference how a fatal attack could be executed against someone with an implanted pacemaker or defibrillator. Jack continued his research into implantable medical devices, and argued that government agencies and manufacturers were not doing enough to protect patients. Sadly, the night before he was set to give a demonstration of his findings at BlackHat 2013, he died of a drug overdose.

Regulating forces

When a medical device comes to market, it is examined and approved by the Food and Drug Administration (FDA). As part of that process, the agency evaluates the device for cyber-security risks.

"The FDA allows devices to be marketed when there is a reasonable assurance that the benefits to patients outweigh the risks," the agency said in a statement. "While the increased use of wireless technology and software in medical devices also increases the risks of potential cyber-security threats, these same features also improve health care and increase the ability of health care providers to treat patients."

Should any vulnerabilities be found after a device is on the market, the FDA works with the Department of Homeland Security to address the problem.

The National Institute of Standards and Technology (NIST) also serves as a resource; a NIST spokesperson said the agency has an eye toward protecting devices that are already on the market and pointed to best practices the agency wrote for manufacturers of wireless infusion pumps.

Chandra Steele

Senior Features Writer, PCMag

Related Topics

Editor's Pick

This 61-Year-Old Grandma Who Made $35,000 in the Medical Field Now Earns 7 Figures in Retirement
A 'Quiet Promotion' Will Cost You a Lot — Use This Expert's 4-Step Strategy to Avoid It
3 Red Flags on Your LinkedIn Profile That Scare Clients Away
'Everyone Is Freaking Out.' What's Going On With Silicon Valley Bank? Federal Government Takes Control.

How to Detect a Liar in Seconds Using Nonverbal Communication

There are many ways to understand if someone is not honest with you. The following signs do not even require words and are all nonverbal queues.

Celebrity Entrepreneurs

'I Dreaded Falling in Love.' Rupert Murdoch Is Getting Hitched for the Fifth Time.

The 92-year-old media tycoon announces he will wed former San Francisco police chaplain Ann Lesley Smith.

Business Ideas

55 Small Business Ideas To Start Right Now

To start one of these home-based businesses, you don't need a lot of funding -- just energy, passion and the drive to succeed.


How Great Entrepreneurs Find Ways to Win During Economic Downturns

Recessions are an opportunity to recalibrate and make great strides in your business while others are unprepared to brave the challenges. Here's how great entrepreneurs can set themselves up for success despite economic uncertainty.

Starting a Business

Selling Your Business? Do These 6 Things Right Now.

If you want the maximum price you need to make these moves before you do anything else.

Business News

'Invest In That Future Now Before It's Too Late': Bill Gates Calls For Global Pandemic Response Team In Op-Ed

In the same month that the World Health Organization called the coronavirus a pandemic three years ago, billionaire Bill Gates reiterated his call for a "fire department for pandemics."