Is It Time For Computer Security Experts To Get Jobs In The Medical Device Arena?
from the dance,-heart-patient,-dance! dept
Last week, one of the stories that got a few headlines and made the rounds concerned the news that some popular heart monitors could be hacked, potentially in a way that would provide powerful shocks to to the heart of someone who had such a device implanted. The reports made it very clear that the likelihood of such a hack was incredibly slim, as it would require a tremendous amount of access. So, this isn’t something to worry about today, but it does suggest one area where it may pay for medical device makers to start thinking a little bit more about security. There was a report, about two years ago, that also warned of something similar, which we played down as a bit of fear-mongering (it had no real details, just suggesting that pacemakers would become a hacking target). It still seems like this is not going to be a huge threat any time in the near future, but that doesn’t mean that those who design medical devices, especially those with connections to the outside world, shouldn’t at least think through the potential security concerns and design these devices with security in mind from the beginning. That seems a lot safer than having to fix all of the installed devices down the road.
Filed Under: computer security, hacking, medical devices
Comments on “Is It Time For Computer Security Experts To Get Jobs In The Medical Device Arena?”
Med devices
Pace makers are susceptible to various forms of RF interference and can rendered nonfunctional with very simple means. It does not even take hacking or access. On the other hand the government, in their infinite wisdom, have passed HIPPA regulations that interfere with the delivery of health care to individuals. Trying to ask colleagues at another institution about a patient can violate the rules, even if it is for the betterment of care. Then on top of that sharing medical images is a nightmare. Each vendor has their own implementation of the PACS (Picture Archiving and Communications System) standard DICOM (a JPEG derived “standard”), that is is difficult to view the necessary images.
Experts of all kinds should be apart of all industries. Diversity is good.
“provide powerful shocks to to the heart of someone”
i think just one is enough.
aren’t pacemakers supposed to give electric shocks to the heart to jump start it?
sound more like mis configuration, to me
The legitimate fear, I think, is that electronic security in many cases becomes a hindrance to functionality. Not too terrible when you forget your password and can’t access your bank account, that can wait till morning in many cases. It’s aquite a bit more terible when your pacemaker’s gone on the fritz and you can’t give an emergency override command to it.
“aren’t pacemakers supposed to give electric shocks to the heart to jump start it?”
You could say that, but that’s not quite the idea. A pacemaker keeps the heart beating at a steady pace where the body’s own electrical impulses fail to do so – it keeps the heart’s rhythm going when it misses a beat, or is running too slowly, basically. Now I don’t know how artificial pacemakers can be programmed and what limitations are in place, and some factors are probably dependant on the condition of the patient, but the idea is probably that you can disrupt the pace of the heart (which is already having enough pacing problems without outside interference) and make it stall. Or, alternatively, switch off the pacemaker and wait a bit.
I don’t see why computer security experts shouldn’t already be working on medical devices though. Medical devices are, after all, just other computer systems with different functions. Somebody should be involved in the security of any computer system though: technology’s fun and all, but it’s used more and more in situations where post-control loss the technology can become annoying or dangerous.
That said, computer security isn’t the only way about it. Restriction of physical access is a plus too – not an altenative, ideally you want both fields covered together. But if someone can’t get to the equipment or the software to control something like a pacemaker, and there’s no way to connect to the hospital/etc from outside of the premesis…well, if someone manages this kind of thing in that kind of situation then there are probably bigger problems than computer security to worry about, no?
But then, I can’t imagine many medical systems becoming all that big of a target until someone devices a way (efficient or otherwise) of messing with lots of them at once.
Hacking medical devices
Hacking medical devices is far too easy, they are FDA regulated, so there is not much you can do there, but an MRI machine with Windows 2000 SP1, quad CPU and a TB of storage, and a 1 GB link, makes the best video storage system ever. You would need more than Security Engineers at medical device manufacturers, you need them at the FDA as well.