Is It Time For Computer Security Experts To Get Jobs In The Medical Device Arena?

from the dance,-heart-patient,-dance! dept

Tue, Mar 18th 2008 4:59pm — Mike Masnick

Last week, one of the stories that got a few headlines and made the rounds concerned the news that some popular heart monitors could be hacked, potentially in a way that would provide powerful shocks to to the heart of someone who had such a device implanted. The reports made it very clear that the likelihood of such a hack was incredibly slim, as it would require a tremendous amount of access. So, this isn't something to worry about today, but it does suggest one area where it may pay for medical device makers to start thinking a little bit more about security. There was a report, about two years ago, that also warned of something similar, which we played down as a bit of fear-mongering (it had no real details, just suggesting that pacemakers would become a hacking target). It still seems like this is not going to be a huge threat any time in the near future, but that doesn't mean that those who design medical devices, especially those with connections to the outside world, shouldn't at least think through the potential security concerns and design these devices with security in mind from the beginning. That seems a lot safer than having to fix all of the installed devices down the road.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: computer security, hacking, medical devices

6 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

William Jackson, 18 Mar 2008 @ 5:39pm

Med devices
Pace makers are susceptible to various forms of RF interference and can rendered nonfunctional with very simple means. It does not even take hacking or access. On the other hand the government, in their infinite wisdom, have passed HIPPA regulations that interfere with the delivery of health care to individuals. Trying to ask colleagues at another institution about a patient can violate the rules, even if it is for the betterment of care. Then on top of that sharing medical images is a nightmare. Each vendor has their own implementation of the PACS (Picture Archiving and Communications System) standard DICOM (a JPEG derived "standard"), that is is difficult to view the necessary images.
[ link to this | view in chronology ]
rob friedman, 18 Mar 2008 @ 6:38pm

Experts of all kinds should be apart of all industries. Diversity is good.
[ link to this | view in chronology ]
It Wasnt me, 18 Mar 2008 @ 11:09pm

"provide powerful shocks to to the heart of someone"
i think just one is enough.

aren't pacemakers supposed to give electric shocks to the heart to jump start it?

sound more like mis configuration, to me
[ link to this | view in chronology ]
Ferin, 19 Mar 2008 @ 5:11am

The legitimate fear, I think, is that electronic security in many cases becomes a hindrance to functionality. Not too terrible when you forget your password and can't access your bank account, that can wait till morning in many cases. It's aquite a bit more terible when your pacemaker's gone on the fritz and you can't give an emergency override command to it.
[ link to this | view in chronology ]
Andy``, 19 Mar 2008 @ 6:28am

"aren't pacemakers supposed to give electric shocks to the heart to jump start it?"

You could say that, but that's not quite the idea. A pacemaker keeps the heart beating at a steady pace where the body's own electrical impulses fail to do so - it keeps the heart's rhythm going when it misses a beat, or is running too slowly, basically. Now I don't know how artificial pacemakers can be programmed and what limitations are in place, and some factors are probably dependant on the condition of the patient, but the idea is probably that you can disrupt the pace of the heart (which is already having enough pacing problems without outside interference) and make it stall. Or, alternatively, switch off the pacemaker and wait a bit.

I don't see why computer security experts shouldn't already be working on medical devices though. Medical devices are, after all, just other computer systems with different functions. Somebody should be involved in the security of any computer system though: technology's fun and all, but it's used more and more in situations where post-control loss the technology can become annoying or dangerous.

That said, computer security isn't the only way about it. Restriction of physical access is a plus too - not an altenative, ideally you want both fields covered together. But if someone can't get to the equipment or the software to control something like a pacemaker, and there's no way to connect to the hospital/etc from outside of the premesis...well, if someone manages this kind of thing in that kind of situation then there are probably bigger problems than computer security to worry about, no?

But then, I can't imagine many medical systems becoming all that big of a target until someone devices a way (efficient or otherwise) of messing with lots of them at once.
[ link to this | view in chronology ]
dan, 19 Mar 2008 @ 11:56am

Hacking medical devices
Hacking medical devices is far too easy, they are FDA regulated, so there is not much you can do there, but an MRI machine with Windows 2000 SP1, quad CPU and a TB of storage, and a 1 GB link, makes the best video storage system ever. You would need more than Security Engineers at medical device manufacturers, you need them at the FDA as well.
[ link to this | view in chronology ]