2016 saw a couple of incidents that spotlighted the vulnerability of medical devices to hacking and cyberattacks. But while cybersecurity flaws—such as those that could allow hackers to overdose a diabetic on insulin—can affect medical devices in their current form, the trend of increasing connectivity in med tech will only create more opportunities for unauthorized actors to exploit.
In August, short seller Muddy Waters publicized serious problems uncovered by cybersecurity researchers MedSec that left St. Jude Medical’s implantable cardiac devices vulnerable to attack. According to the accusers, hackers could attack patients who use these devices—which include implantable cardioverter defibrillators and cardiac resynchronization therapy devices—by either causing the device to malfunction or by draining the device’s battery. The devicemaker denied the allegations, saying that Muddy Waters and MedSec’s report contained “false and misleading” information and sued the duo in September.
One of the claims St. Jude refuted was that a cardiac implant’s battery could be depleted from a range of 50 feet. The devicemaker said wireless communication with an implant could only occur from a seven-foot range, and it would take “hundreds of hours” of continuous wireless “pings” to drain the battery—so such an attack was not likely.
In October, Johnson & Johnson revealed a problem in its wirelessly controlled OneTouch Ping insulin pump that hackers could exploit and potentially cause the device to deliver unauthorized doses of insulin to patients, resulting in insulin overdose or hypoglycemia. While such an attack could result in death, J&J’s Animas unit and cybersecurity firm Rapid7 said the risk is low.
Patients with the OneTouch Ping system have a remote that uses a radio frequency communication system to tell their insulin pump when to deliver a dose. A Rapid7 researcher pointed out that because communications between the remote and the pump are not encrypted, a person within range of the system could perceive its communications and copy or “replay” them to cause the pump to do things the user doesn’t tell it to do.
These two examples highlight cybersecurity concerns in contemporary devices, the trend toward greater connectivity will increase the risk of cyberattacks. Already, devices are transmitting data to mobile devices via Bluetooth and apps are syncing with the cloud so patients may share their data with their caregivers and loved ones. And while this can help doctors monitor their patients from afar, or even allow them to adjust treatment remotely, connecting devices to the internet opens them up to attacks. As we move forward, companies and patients should think more closely about what safety mechanisms they have in place and what device testing they may perform, said Jay Radcliffe, a senior researcher at the cybersecurity firm Rapid7.