04.16.12
The Hacker: possibly one of the most feared figures in the modern world, she has the ability to access every detail of our lives and identities. If not targeting individuals, a hacker can target corporations—just to prove she can. The buzz about hackable medical devices has been increasing in volume lately as a federal advisory board calls for a thorough review of medical devices that are accessible wirelessly before they are released.
In October 2011, news broke that security software company McAfee had exposed a weakness in a Medtronic insulin pump by “ethically hacking” the device, specifically to demonstrate that it could be done. The potential for malicious hacking of life-sustaining devices is too high to be ignored, which has prompted close review of such devices.
The Information Security and Privacy Advisory Board (ISPAB), created by the Computer Security Act of 1987, is drawing attention to the issue because the number of wirelessly accessible devices is on the rise. These devices can allow for remote check ups and follow ups, where the patient does not need to physically visit the physician; they can allow for—as in the case of the Medtronic pump—an administration of a dose of medication wirelessly and without the use of a needle. There are wide and varied advantages to devices like these, but as the ISPAB inferred in a recent letter, the patient would be exposed to “significant risk of harm.”
The ISPAB issued this letter on March 30 to the Office of Management and Budget, as well as the U.S. Department of Health and Human Services and the National Institute of Standards and Technology.
“Further complicating this picture,” the letter states, “[are that] the economics of medical device cybersecurity involves a complex system of payments between multiple stakeholders—including manufacturers, providers, and patients. At the same time, no one agency has primary responsibility from Congress to ensure the cybersecurity of medical devices deployed across this spectrum.”
The ISPAB letter also expressed concern over discouragements for companies and others reporting device security breaches, such as a fear of liability.
The ISPAB suggests that an agency such as the U.S. Food and Drug Administration (FDA) should be given responsibility for medical device security. The FDA would collaborate with various expert boards such as the National Institute of Standards and Technology. The board concluded that further study is needed before wirelessly accessible medical devices safely can be placed on the market.
Meanwhile at Purdue and Princeton Universities, located in West Lafayette, Ind., and Princeton, N.J., respectively, a group of researchers have created a prototype of a firewall for medical devices that they claim is close to un-hackable. The prototype is known as MedMon for medical monitor, but the research group has stressed that this is a proof of concept only. The concept would have to be miniaturized—and, of course, materialized—before it can be tested and used. A provisional patent application has been filed on the concept.
“This is still not going to solve privacy concerns,” Anand Raghunathan told Inside Indiana Business. “Someone could still learn that you have a medical device, but hopefully they are not going to be able to do anything bad to you. It is extremely difficult to make a system completely impregnable.” Raghunathan is the lead researcher, Purdue professor of electrical and computer engineering, and member of Purdue’s Center for Implantable Devices. Raghunathan is working with two engineering graduate students from Princeton, Chunxiao Li and Meng Zhang.
In October 2011, news broke that security software company McAfee had exposed a weakness in a Medtronic insulin pump by “ethically hacking” the device, specifically to demonstrate that it could be done. The potential for malicious hacking of life-sustaining devices is too high to be ignored, which has prompted close review of such devices.
The Information Security and Privacy Advisory Board (ISPAB), created by the Computer Security Act of 1987, is drawing attention to the issue because the number of wirelessly accessible devices is on the rise. These devices can allow for remote check ups and follow ups, where the patient does not need to physically visit the physician; they can allow for—as in the case of the Medtronic pump—an administration of a dose of medication wirelessly and without the use of a needle. There are wide and varied advantages to devices like these, but as the ISPAB inferred in a recent letter, the patient would be exposed to “significant risk of harm.”
The ISPAB issued this letter on March 30 to the Office of Management and Budget, as well as the U.S. Department of Health and Human Services and the National Institute of Standards and Technology.
“Further complicating this picture,” the letter states, “[are that] the economics of medical device cybersecurity involves a complex system of payments between multiple stakeholders—including manufacturers, providers, and patients. At the same time, no one agency has primary responsibility from Congress to ensure the cybersecurity of medical devices deployed across this spectrum.”
The ISPAB letter also expressed concern over discouragements for companies and others reporting device security breaches, such as a fear of liability.
The ISPAB suggests that an agency such as the U.S. Food and Drug Administration (FDA) should be given responsibility for medical device security. The FDA would collaborate with various expert boards such as the National Institute of Standards and Technology. The board concluded that further study is needed before wirelessly accessible medical devices safely can be placed on the market.
Meanwhile at Purdue and Princeton Universities, located in West Lafayette, Ind., and Princeton, N.J., respectively, a group of researchers have created a prototype of a firewall for medical devices that they claim is close to un-hackable. The prototype is known as MedMon for medical monitor, but the research group has stressed that this is a proof of concept only. The concept would have to be miniaturized—and, of course, materialized—before it can be tested and used. A provisional patent application has been filed on the concept.
“This is still not going to solve privacy concerns,” Anand Raghunathan told Inside Indiana Business. “Someone could still learn that you have a medical device, but hopefully they are not going to be able to do anything bad to you. It is extremely difficult to make a system completely impregnable.” Raghunathan is the lead researcher, Purdue professor of electrical and computer engineering, and member of Purdue’s Center for Implantable Devices. Raghunathan is working with two engineering graduate students from Princeton, Chunxiao Li and Meng Zhang.