AsianScientist (Feb. 13, 2019) – Alongside unprecedented advances in artificial intelligence and digital technologies, the 21st century also brings with it entirely new possibilities for killing people.
Consider a scenario where hackers quietly infiltrate the pacemaker embedded within a target’s chest. Biding their time until an opportune moment, they finally unleash their attack, executing commands that disrupt the electrical impulses steadying the target’s heartbeat. Cause of death: heart failure, and no one is the wiser.
The perfect crime? Not so fast—would-be assassins shouldn’t abandon good old arsenic, knives or bullets just yet. While not impossible, cyberattacks on medical devices like pacemakers, insulin pumps and medical ventilators are so difficult to perpetrate that they don’t yet constitute a direct threat to patient care, said Dr. Ngiam Kee Yuan, group chief technology officer at Singapore’s National University Health System, a major academic medical center.
“It would take a very motivated and skilled person or group of people [to successfully hack a device],” he told Asian Scientist Magazine.
Hacking is hard
Although medical devices often sport Wi-Fi or Bluetooth connections, the majority of those approved for use today are only capable of sending information, not receiving it, Ngiam said; this makes them extremely difficult to attack remotely, since they can’t receive malicious instructions. Further, medical devices usually run on very simple, hardcoded software rather than on general-purpose operating systems with known security vulnerabilities, he added.
A hacker bent on infiltrating such a device would need to physically tamper with it to disrupt its operating software, said Ngiam. One doesn’t need the sharpest of criminal minds to understand that this isn’t a good idea: first, you’d likely get caught; second, you’d need to know the device inside and out; and third, if you’re going to go through the trouble of getting your hands on the device—say a drug pump—you might as well just disconnect it or simply push a button instead to alter the dose.
Add to this the strict cybersecurity standards that medical devices approved by regulatory bodies like the US Food and Drug Administration or the European Commission must meet, and hackers, in practice, are faced with a daunting challenge indeed, said Ngiam.
All this hasn’t stopped white-hat hackers and cybersecurity companies from making a go of it, with some success. Security researcher Jay Radcliffe, for example, gained prominence in 2011 when he hacked his own insulin pump, manipulating the signals transmitted by its wireless blood sugar level sensors so that he could control the dose it dispensed, he claimed. Other researchers have found vulnerabilities in the internet-based software update system used by Medtronic’s pacemakers, which they say could allow hackers to install malicious code; the company discontinued the system in October 2018, switching to manual updates instead.
Vigilance on the part of the cybersecurity community could certainly help to reveal and plug potentially dangerous security loopholes. But the odds are stacked against medical devices when determined, skilled professionals are given ample time and repeated attempts to break into them, said Ngiam. In practice, hackers are less likely to have that luxury, which may explain why no serious real-world hacks of medical devices have yet been reported.
“What is possible in the imagination may not be reality, because of the way medical devices are approved, and the way [engineers] hardcode the software,” said Ngiam.
Connectivity concerns
Yet, as demand for round-the-clock remote patient observation increases, medical devices are set to grow still more complex and better connected. Future medical devices will thus need to incorporate ever more stringent cybersecurity safeguards, especially in a sector where breaches can put human health at risk.
According to Mr. Rajnish Kapur, director of cybersecurity at KPMG Singapore, cybersecurity protocols should be integrated into the medical device product development life cycle at its inception.
“[This] has to be [done] from the very beginning, rather than as an afterthought… once there is connectivity, there is risk,” he said, speaking in September 2018 at the Innovating Care Asia Pacific conference in Singapore.
In practice, however, medical device researchers and inventors don’t always prioritize cybersecurity from the outset.
“I think we’re more concerned with the functionality of the device than the security part, because the functionality itself is an uphill, daunting task to achieve,” said Dr. Matthew Chua, a principal investigator at the National University of Singapore’s Institute of Systems Science, in an interview with Asian Scientist Magazine.
According to Chua—who works on smart healthcare and cybernetics systems, such as an ankle-worn device that uses electrical stimulation to correct the gait of Parkinson’s patients—security typically isn’t a major concern during medical device trials.
“[Cybersecurity] more or less only comes in when you start to do mass fabrication to distribute and sell [the device]. Then people start to think about how to make the device secure,” he said.
For researchers on the ground like Chua, protecting medical devices comes down to a balance between managing risk and the judicious use of resources.
“No device can be hack-proof. You can put in as many defences as you want, [but] one day someone is going to crack it, it’s just a matter of time… so for me, usually we take a middle ground where [the device] is adequately protected, yet affordable at the same time.”
From hardware to software
As healthcare goes digital, the industry is increasingly dealing with a new category of medical devices, sometimes termed ‘software as a medical device,’ adds Ngiam. Defined as software that serves a medical purpose, this emerging and broad class includes electronic medical records systems, software that automates the detection of drug interactions, and artificial intelligence systems that help clinicians reach diagnoses.
Since decision support software still requires a ‘human in the loop’ to sanction and act on recommendations, a breach isn’t likely to be catastrophic. Still, compared to physical machines, software-based devices pose more of a security risk, because they interface with the internet and are often run on general-purpose operating systems like Windows or Linux, said Ngiam. By contrast, a physical device such as a medical ventilator runs on hardcoded software on a chip inside the machine itself, never on the operating system of an off-the-shelf computer.
“The more generic the platform, the more risk there is,” said Ngiam, as potential hackers have a larger toolkit at their disposal.
The 2017 WannaCry ransomware attack, which crippled the UK’s National Health Service and numerous other organizations worldwide, for example, spread through a known loophole in older versions of Windows, which many affected organizations had neglected to patch.
While standard enterprise-level security tools, if kept up to date, can sniff out most forms of malware, Ngiam recommends going one step further.
“Over and above enterprise-level tools, one of the tenets we have is to ensure that we always have some kind of proprietary protection that is not available commercially… the idea is that proprietary systems allow us to maintain a technological edge over would-be hackers,” he said.
Even if lethal physical device hacks currently belong to the realm of television series like Homeland, they might not stay confined there forever. Hackers are becoming more organized and sophisticated; state-sponsored hits are up; and the healthcare industry in 2017 superseded the finance sector as the number-one target of cyberattackers, said Kapur in his talk.
If anything like the much talked-about, hyper-connected healthcare Internet of Things—where hardware- and software-based medical devices communicate freely with one another and with clinicians to deliver the best patient care—is to become a reality, the good guys will need to make sure they win the cybersecurity arms race. Today, however, if you need someone dead, “it would be better to use a knife,” said Ngiam.
———
Copyright: Asian Scientist Magazine; Photo: Shutterstock.
Disclaimer: This article does not necessarily reflect the views of AsianScientist or its staff.
