Black Hat 2017: Hacking Healthcare Devices, Stopping Hearts and 'Jacking' Brains

Recent advances in technology have not only given way to new and better machines to test our health and potential for disease, but increasingly to implantable medical devices that can regulate the rhythms of the heart, manage a diabetic’s insulin levels, or take other life-saving measures.

However, with these terrific new rewards come potential risks — particularly the ability for these medical devices to be breached, shut down, or otherwise manipulated by a person who is able to exploit these devices’ wireless capabilities.

According to digital security researchers and vendors at the recent annual Black Hat USA conference in Las Vegas, hacking medical implanted devices has been a concern for several years and remains a growing threat as nefarious hackers, organized cyber-crime rings, and adversarial nations become increasingly more sophisticated and well-funded. Case in point: The recent massive WannaCry infection, which locked down hospital medical records and hit radiology and MRI machines, could have spread to implantable devices as well, creating widespread device outages or possibly even deaths, according to information security insiders.

While death by hacking sounds a bit extreme and morbid, the reality of these attacks has been under close investigation by researchers for at least five years, and potential vulnerabilities have already emerged. In 2016, research scientists in the United Kingdom, at Oxford and the University of London published a study that they had conducted, testing how people using a deep-brain stimulation (DBS) neuro-stimulating device — often given to Parkinson’s disease sufferers — were susceptible to so-called “brainjacking.” The U.K. research paper outlined that an attacker could exploit the device’s connectivity flaws to turn off the DBS device or ruin the battery, thereby causing tissue damage, potentially changing the behavior, causing pain or affecting impulses in the device’s wearer.

Indeed, the ability to hack or compromise such medical implantable devices may have first gained public notice when prominent security researcher Barnaby Jack at a security conference in 2012 demonstrated exactly how a malicious hacker could take over and execute a fatal attack on someone with a pacemaker or defibrillator. The following year [2013], former Vice President Dick Cheney told a 60 Minutes interviewer that it was due to fear of assassination by hack that he had previously had the wireless capabilities shut off on his own pacemaker. [Researcher Jack, who also contended that the U.S. government and medical developers need to do more to protect implantable device patients, died of a drug overdose in 2013, on the eve of a demonstration he was set to give at that year’s Black Hat conference on the hackability of medical implantables.]

The area remains a hot topic, as well as a concerning one, for the medical device and information security communities alike. Recently, a security researcher from information security vendor Rapid7 discovered that his Johnson & Johnson diabetes pump was able to transmit information unencrypted, a security gap that could allow potential attackers to “sniff” out a way to remotely pump more insulin, or withhold it, which could cause hypoglycemia in a diabetic patient. [The Rapid7 researcher notified the Johnson & Johnson company, Animas Corp., that makes the pump, and the vulnerability was patched.]

Related

Nuance Details Damages from NotPetya Attack: Money Lost, but PHI Safe

Two Quick Steps to Jumpstart Your Cybersecurity Plan

Google Finds Another Privacy Controversy in Healthcare