Pacemakers, Medical Devices, and Cyberbiosecurity

September 28, 2023 — Jt Spratley

Pacemakers are one of the most commonly used medical embedded systems in homes today. With the strides in wireless networking, pacemakers have evolved into mobile electrocardiogram (ECG/EKG) machines, tracking patients' cardio activity remotely to assist doctors with heart health treatments [1]. These now networked embedded systems are unfortunately developed without serious effort given to cybersecurity. There have been many incidents within the past decade highlighting such vulnerabilities and their potentially fatal effects.


In 2012, Barnaby Jack of security vendor IOActive was able to manually trigger a pacemaker's function to “detect irregular heart contractions and deliver an [830-volt] electric shock to avert a heart attack” remotely from a laptop. [2] A few years later, unrelated studies proved the lack of encryption in wireless communications and usage of older operating systems (OSes), Windows XP in 2015 to be specific, in embedded medical systems [3]. Marie Moe from I am The Cavalry cybersecurity research group [4] notes that battery draining attacks (BDA) [5] are also possible.

Some experts argue that patients shouldn't be too alarmed since such attacks require “Bluetooth range,” and there's a greater return on investment (ROI) for breaching medical servers for ransomware profits [6]. However, some Bluetooth connections can expand beyond 200 meters, quite a bit of distance for a digital road warrior attack [7]. Patients are recommended to follow updates related to their implanted devices and visit their doctor immediately when firmware updates are available [8].

Better times should come soon as the Food and Drug Administration (FDA) is now requiring medical devices to meet cybersecurity standards [9]. Meanwhile, the rising field of cyberbiosecurity aims to tackle security risks related to biotechnology and cyber-genetics-related efforts [10].

References

[1] “How Medical Embedded Systems Transformed the Healthcare Industry.” Total Phase, Aug. 6, 2019. [Online]. Available: https://www.totalphase.com/blog/2019/08/how-medical-embedded-systems-transformed-the-healthcare-industry/.

[2] J. Kirk. “Pacemaker hack can deliver deadly 830-volt jolt.” IDG Communications, Oct. 17, 2012. [Online]. Available: https://www.computerworld.com/article/2492453/pacemaker-hack-can-deliver-deadly-830-volt-jolt.html.

[3] Khera M. “Think Like a Hacker: Insights on the Latest Attack Vectors (and Security Controls) for Medical Device Applications.” Journal of Diabetes Science and Technology. 2017;11(2):207-212. doi:10.1177/1932296816677576.

[4] “This woman hacked her own pacemaker to show how vulnerable we are to cyberattacks.” World Economic Forum. [Online]. Available: https://www.weforum.org/videos/this-woman-hacked-her-own-pacemaker-to-show-how-vulnerable-we-are-to-cyberattacks.

[5] P. Arntz. “Polite WiFi loophole could allow attackers to drain device batteries.” Malwarebytes Labs, Jan. 10, 2023. [Online]. Available: https://www.malwarebytes.com/blog/news/2023/01/polite-wifi-loophole-could-allow-attackers-to-drain-device-batteries.

[6] D. Johnson. “Can Pacemakers (and Other Medical Devices) Really Be Hacked?” How-To Geek, Jul. 18, 2019. [Online]. Available: https://www.howtogeek.com/427904/can-pacemakers-and-other-medical-devices-really-be-hacked/.

[7] “Understanding Bluetooth Range.” Bluetooth. [Online]. Available: https://www.bluetooth.com/learn-about-bluetooth/key-attributes/range.

[8] B. Curley. “Hackers Can Access Pacemakers, but Don’t Panic Just Yet.” Healthline, Apr. 4, 2019. [Online]. Available: https://www.healthline.com/health-news/are-pacemakers-defibrillators-vulnerable-to-hacker.

[9] J. Korn. “FDA requires medical devices be secured against cyberattacks.” CNN, Mar. 29, 2023. [Online]. Available: https://www.cnn.com/2023/03/29/tech/fda-medical-devices-secured-cyberattacks/index.html.

[10] S. Porter. “What is cyberbiosecurity?” Biotech-Careers, May 12, 2023. [Online]. Available: https://biotech-careers.org/articles/what-cyberbiosecurity.

Tags: cybersecurity, health

Comments? Tweet