It seems that warnings by Cyber Security Experts about the vulnerabilities of various medical devices being hacked into, putting people at risk of a terrorist attack (including a vulnerability for mass murder), has fallen on deaf ears for many years.
Alarmingly such hacks can happen to electronic wireless devices, such as pacemakers, insulin pumps, implants and various other medical devices within the medical realms.
The results of a cyber attack on these devices could cause many deaths: Another words, patients being murdered from a remote source and location.
The FDA has sent letters of recommendations regarding cyber security of medical devices to: Medical device manufacturers, hospitals, medical device user facilities, health care IT and procurements staff; and biomedical engineers.
BUT (As at January 2015), has NEVER made it a LEGAL REQUIREMENT to enforce adequate safety standards, accountability upon the manufacturers in regards to cyber security of medical devices. Therefore there is still no accountability expected by these companies should a hack be successful.
The FDA Knew About this Vulnerability Years Ago…
Yet still Carried on Approving Wireless Medical Implants,
Including Pacemakers to be Manufactured.
In June 2013 the FDA issued this letter Cybersecurity for Medical Devices and Hospital Networks: FDA Safety Communication, to all device manufacturers, hospitals, medical device user facilities, health care IT and procurements staff; and biomedical engineers, recommending that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyber attack, which could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks.
FDA Summary of Problem and Scope: Many medical devices contain configurable embedded computer systems that can be vulnerable to cyber security breaches.
In addition, as medical devices are increasingly interconnected, via the Internet, hospital networks, other medical devices and smartphones, there is an increased risk of cyber security breaches, which could affect how a medical device operates.
What the Cyber Security Experts Have Been Warning…
Dick Cheney National Security Expert: Doctors of former U.S Vice President Dick Cheney replaced an implanted defibrillator heart device near his heart in 2007, as they feared it could be hacked into by terrorists. This defibrillator device can detect irregular heartbeats and control them with electrical jolts.
The susceptibility of the implant being hacked into by terrorists is largely due to its wireless communications abilities. Dick Cheney is well known for his tough-minded views of national security & related issues.
He advised “I was aware of the danger… that existed… I found it credible.” Read more k Cheney Feared His Heart Device Maybe Hacked by Terrorists
DR Mike Gasson Becomes First Man to Be Infected with a
(Sky News – May 2010)
British scientist and a cybernetics expert Dr Mark Gasson from the University of Reading, has become the first human to be infected with a computer virus.
Dr Mark Gasson, from the School of Systems Engineering, contaminated a computer chip which had been inserted into his hand as part of research into human enhancement and the potential risks of implantable devices.
These results could have huge implications for implantable computing technologies used medically to improve health, such as heart pacemakers and cochlear implants, and as new applications are found to enhance healthy humans. Full article – Could humans be infected by computer viruses?
Diabetic Cyber Security Expert Hacks Into
His Insulin Pump
TV 5 Investigates
- Write his own program settings
- Change the therapy settings (being able o change the insulin dosage)
Experts are alarmed that many manufacturers have designed cutting edge equipment, but haven’t put much attention into security. Many manufacturers have been known to say it is near impossible to hack into and control an insulin pump from a remote distance, as well as being a highly unlikely event.
In October 2011 at the Cyber Security Hacker Halted conference, well known cyber security expert Barnaby Jack proved this theory wrong by scanning for radio frequency within a 300 meter range, and was able to access implanted insulin pumps.
He demonstrated a remote hack on a diabetic friend of his who was sitting in the audience. Jack was able to control the amount of insulin dispersed and had the capabilities to shut the device down.
Breakpoint Security Conference -2012
In October 2012 at the Breakpoint Security Conference in Melbourne, security hacker expert Barnaby Jack stated the horrifying facts of what the outcomes of a cyber attack on a pacemaker can be…
- On a video (not released publicly) he demonstrated being able to hack into a pacemaker from his laptop, and delivering 830 volt shocks to it.
- Pacemakers contain a ‘secret function’ which could be used to activate all pacemakers and implantable cardioverter-defibrillators (ICDs) in a 30 foot-plus vicinity, enabling access to all the pacemaker serial numbers. With that information, we have enough information to authenticate with any device in range,” Jack said.
- That data could be used to…
Load Rogue Firmware which could Spread between Pacemakers
“Potential to Commit Mass Murder”.
Barnaby Jack was working on a device called ‘Electric Feel’ that could be set at a click of the mouse, to scan medical implants in a set vicinity, and able to deliver electric shocks, malware and reading and writing firmware of the patients data.
Barnaby Jack was Found Dead a Few Days Before Black Hat Speech 2013
25/07/2013 – Early evening, Jack was found dead in his bed by his girlfriend Layne Cross, just days before he was to give his speech at the Black Hat Security Conference 2013.
The headline of his talk was, “IMPLANTABLE MEDICAL DEVICES: HACKING HUMANS“. While Jack had already presented his research on hacking pacemakers, he was said to have new discoveries to reveal to the Black Hat convention.
Before the Bad Guys Did’
FDA Guidance for Industry – 2014
FDA’s guidance documents, including this guidance, do not establish legally enforceable responsibilities. Instead, guidance’s describe the Agency’s current thinking on a topic and should be viewed only as recommendations, unless specific regulatory or statutory requirements are cited.
The use of the word should in Agency guidance’s means that something is suggested or recommended, but not required.
NOTE: One has to ask – Why the FDA has not enforced tougher security measures or taken major steps to make medical device manufacturers accountable for lack of security measures, especially due to the fact that a mass murder attack could take place should an implant be hacked.
When a patient is told they need a medical implant or pacemaker, they are not always told about the security risks or about the full vulnerabilities this type of technology is up against, including the importance of security steps the patient needs to take, to ensure their own in home devices (such as for a SMART phone) that are sometimes connected to transfer data via the medical device.
When a patient directly asks “Can this device be hacked into?”, they are often told it’s unlikely or the chances of it are slim.
American Hospital Association Urged the Federal Government to…
“Hold Device Manufacturers Accountable for Cyber Security.
21/11/14 – The American Hospital Association sent a letter of recommendation in response to the 21/10/14 – FDA public workshop ‘Collaborative Approaches for Medical Device and Healthcare Cybersecurity‘.
The AHA response letter included stating… As critical infrastructure entities, hospitals and health systems must have the cooperation of all other entities that interact with their information systems, such as insurance companies, electronic health record (EHR) vendors and medical device manufacturers.
All of these outside organizations also must engage in cybersecurity risk assessment and reduction activities, and the controls presented in the framework must flow down to their products. For example, medical device manufacturers will need to implement appropriate:
- Access controls
- Logging systems
- Vulnerability remediation tools.
At the same time, device manufacturers need to develop security appropriate for the “least-resources” environment to which they market, such as:
- The physician office
- A small hospital or even a consumer at home.
They cannot assume that the end-user will have a sophisticated security system with the capacity to implement high-level controls. The AHA recommends that the FDA hold device manufacturers accountable for cyber-security, while also encouraging them to participate in the existing HPH activities to share information on cyber risk.
Hospitals and health systems must consider the full spectrum of cyber threats, not just those involving medical devices. However, medical devices have been identified as key vulnerabilities and high-risk areas for the security of hospitals’ overall information systems.
The HPH sector cannot successfully protect against cyber risk unless all parts of the sector actively manage risk. Therefore, medical device security must be seen as both an issue to address on its own and as a component part of the overall landscape.
Full response letter from the – American Hospital Association
Although professionals state there are NO reports of medical devices being hacked into. This does not mean it hasn’t happened. For example – One would expect it to be hard to prove if a shock was sent to a heart (via wireless technology) to a defibrillator/pacemaker by a hacker, unless it was done on a mass scale.
The Sony Pictures Hack in late 2014 highlights the fact that companies can be extorted by terrorists via a cyber attack.
The fact that it is possible for mass murder to be committed via pacemakers and various other medical devices raises extreme concern. Medical device manufacturers are also multi-million dollar companies that could well be a good target for a terrorist hack should their threats of wanting money not be met. This is what was behind the Sony Picture hack.
Summary of the Sony Pictures Hack
In November 2014 it became apparent that Sony Pictures had been hacked into. Variety.com reports – According to a source at Sony Pictures, the company is telling employees that the situation may take anywhere from one day to three weeks to resolve.
The source said a photo appeared on company computers Monday morning with an image of a skeleton and a message saying “Hacked by #GOP.” The message then says, “Warning: We’ve already warned you, and this is just the beginning… We have obtained all your internal data including secrets and top secrets.”
By late December 2014 The New York Times reported – It had become apparent through files stolen by the hackers and published online that Mr. Lynton and Ms. Pascal from Sony Pictures, had been given an oblique warning.
On Nov. 21, in an email signed by “God’s Apstls,” the studio was told to pay money for an unspecified reason by Nov. 24. If the studio did not comply, the bizarre missive said, “Sony Pictures will be bombarded as a whole.” Full article Sony Cyberattack, First a Nuisance, Swiftly Grew Into a Firestorm
Another case in 2016 – Los Angeles: Hackers demand $3m bitcoin ransom from hospital to unlock vital files
Article written by Wen Dee
SUBSCRIBE to Zip Zap Insights – Latest Articles