This document discusses cybersecurity issues related to medical devices. It notes that many medical devices are connected wirelessly and vulnerable to hacking. Researchers have demonstrated ways to hack pacemakers and insulin pumps to harm patients. One researcher was able to hack pacemakers and access patient data from 30-50 feet away. The document calls for improved encryption, open-source development, and other solutions to address these risks while maintaining device functionality. The FDA has also begun focusing on cybersecurity of medical devices.

1. HACKING INTO MEDICAL
DEVICES
JANE WANG
SECTION 2

2. CYBERSECURITY
• Unauthorized access to data, which are either resident in or
exchanged between computer systems
• Attacks on system resources (i.e. computer hardware, operating
system software, and application software) by malicious computer
programs
• Attacks on computer networks, including infrastructure of privately
owned networks and the Internet itself

3. THE ISSUE
• Medical devices are often connected wirelessly to hospital networks
and are therefore vulnerable to cyber attacks
• More than half the devices sold in America rely on software
• So far, no known incidents of a hacked medical device injuring/killing
a person have occurred, but research has shown it is possible

4. PREVIOUS ACCIDENTS - UNINTENTIONAL
• Dozens of cases of viruses infecting computers that control X-ray
machines and laboratory equipment
• Bug in the software of a radiotherapy machine caused massive
overdoses of radiation to be delivered to several patients, killing at
least five
• One in three of all software-based medical devices sold in America
between 1999 and 2005 were recalled for software failures

5. PACEMAKERS
• Small device placed in the chest or abdomen to help control abnormal
heart rhythms
• Uses electrical pulses to prompt the heart to beat at a normal rate
• Have wireless transmitters to allow them to be programmed without
an invasive procedure
• Allows medical professionals to send pacemakers new instructions
• As of 2013, roughly one million people have pacemakers in the U.S.

6. PACEMAKERS – THE DANGER
• Due to the convenience of wireless transmitters, security
vulnerabilities of remote attacks on the body are now possible
• Allows for hacking through not only a laptop, but also Malware
installed on a hospital or company computer that may briefly interact
with an implant
• Could infect, reprogram, or command the device to perform a more lethal
function

7. BARNABY JACK
• Discovered a way to hack into a pacemaker via its wireless transmitter
and make the device send an 830-volt shock through a person’s body
• Can be done with a laptop from 30 to 50 feet away
• Demonstrated the hack during a talk at Breakpoint security
conference in Melbourne, Australia
• Was also able to access personal data stored on implants, such as
confidential patient information and the doctor’s name

8. INSULIN PUMPS
• Device used for administration of insulin in the treatment of diabetes
• Many insulin pumps are now wireless
• Allows the patient to check on the pump’s status and activity
• Allows for control of the dosage administered
• As of 2007, over 400,000 insulin pump users in the U.S.

9. INSULIN PUMPS – THE DANGER
• Wireless transmitters once again can cause problems, and cause the
pump to deliver a deadly dose of the hormone
• Currently there are patents for insulin pumps that can hook up to WiFi
and be controlled via a web browser
• Huge potential for exploits, especially since exploits to compromise web
interfaces are developed daily

10. BARNABY JACK
• Also discovered how to hack insulin pumps
• Was able to obtain complete control of all pumps within a vicinity
without any prior knowledge of their serial numbers
• Able to cause device to repeatedly deliver its maximum dose of 25
units until the entire reservoir was depleted
• Able to hack pumps from a distance of up to 300 feet using a highgain antenna

11. DELOITTE STUDY
• Consultants interviewed representatives from 9 health care
organizations
• Majority felt that their organizations had strategies and frameworks for
managing cybersecurity risks
• However, many differences in the degree of preparedness and
approaches for handling cyberthreats

12. WHY IS THIS ETHICAL?
• If nothing is done about it, millions of people are put at risk
• However, medical professionals will still be able to change settings without the
use of medical procedures, allowing for the patient to carry on through everyday
life normally
• If something is done about it, either:
• Research will be conducted to find a safe solution that preserves the patient’s
convenience, but in the mean time will people will still be at risk
• Wireless transmitters will be removed, and patients will have to suffer through
invasive procedures whenever a change is required

13. SOLUTIONS
• Encryption
• Problem: Encryption takes up valuable processing time on a device
• Goal: To develop encryption that addresses the cyberrisk without impacting the
functionality of the device
• Open-source
• Start making open-source devices, so more people can learn how these devices
work
•
Allows for more minds to come up with security issues, as well as discover fixes for
them
• Currently prohibited for use on live human patients

14. SOLUTIONS
• Researchers at Rice University have found a way to use a heartbeat
reading as a way to confirm that whoever is trying to reprogram or
download data from a device is in direct contact with the patient
• Makes it clear if someone is a remote hacker
• This fix could work even in emergency situations where no delay can be
tolerated
• Researchers from Princeton and Purdue University have developed
MedMon, a prototype firewall

15. U.S. FOOD AND DRUG ADMINISTRATION
• FDA has released draft guidance for cybersecurity concerns
• New draft lays out specific concerns that must be addressed when
applying FDA approval for new devices
• Requires manufacturers to report security breaches, and has called
upon them to review and improve their security procedures
• FDA is now developing a cybersecurity laboratory to focus on
potential threats to medical devices and systems