Kathy Gibson reports from CeBit in Hannover –If you wear a pacemaker every beat of your heart is generated by this device. But could an implanted medical device be putting you at risk from hackers?

A pacemaker works by registering every heartbeat and sending an electronic signal to the heart, telling it to beat. Without it, a patient could die.

When Dr Marie Moe, associate professor of Sintef Infosec, received a pacemaker five years ago, medical professionals couldn’t tell her how safe it was from cyber-hackers.

“My life depends on hardware and software inside my body. Every beat of my heart is generated by the pacemaker,” she says. “I needed to find out if hackers could break my heart.”

The first question she asked was how the data from her heart was secured.

She discovered that the device in her heart can connect to the Internet. “So I am a part of the Internet of Things (IoT).”

In fact, the pacemaker has two communication interfaces – both wireless, for obvious reasons.

The interface which the hospital programmer uses is familiar to technicians since it’s how the device is checked and configured. When she goes to the hospital for a checkup, a doctor can use a touchscreen  stop, slow or speed Dr Moe’s heart.

But remote monitoring is also possible. The device can establish a connection with a home monitoring unit, which then uploads information to the Internet where it is transferred to a server, often remotely.

“For me, this is obviously something  that opens my system up to remote hacking attacks,” Dr Moe says.

What would a hack on a pacemaker – or any other implanted medical device – look like?

One of the immediate issues is that of privacy, Dr Moe says. “My device is transferring patient information wirelessly; so it’s possible for a hacker with an antenna and laptop to scan the room and read sensitive information about patients.”
A hacker can also deplete the battery of the device prematurely by attacking it, essentially in a DDoS attack. “My pacemaker’s battery should last about 10 years but it is possible to make it run out faster than that.”

A hacker could also cause the device to malfunction.

This could be related to a hacker employing a variation of ransomware, where patients could face death threats and extortion. Since healthcare is already one of the major victims of ransomware, it’s conceivable that threats of this kind could be extended to devices like pacemakers.

Then there is the remote assassination scenario. “I don’t think I am a potential assassination target, but others could be,” Dr Moe says.

With any ecosystem, connectivity adds vulnerability, she says.

“I know society is adopting technology faster than we are able to secure it. But when the device is embodied, like a pacemaker, we need to think carefully about how to secure them.

“We need to make sure that it’s not possible for anyone to remotely hack people.”

Dr Moe explains that personal experiences led her to research the possibility of hacking a pacemaker.

“The reason is that I have experienced how it feels to have a device that is not functioning correctly due to software bugs or hardware failure.

In fact, Dr Moe’s pacemaker has fallen victim to both of these scenarios, one a poorly set limit in the software settings, the other a hardware fault that caused the unit to re-initialise.

“So I know these things can go wrong,” she says. “And it is a problem if it can be hacked.”

The threats are real and the result of a number of factors, she adds.

The first of these is that implanted devices have a long lifetime. Not only do they spend 10 years in-body, they also have  long development cycle.

In addition, there is little security testing or monitoring of implanted medical devices. This is coupled with a lack of regulation that means manufacturers are under no obligation to bring secure devices to market.

And, as more connectivity is added, the attack surface is increased.

The industry can solve the issues though, with more security research, Dr Moe believes.

Security researchers and manufacturers should make information available to enable collaboration. There would need to be co-ordinated disclosure and this has already begun.

Vendor awareness will also help to drive security. Regulation will help to push this, and more awareness in the procurement cycle would help as well.

The bottom line, says Dr Moe, is that manufacturers need to start including safety by design and increase the security testing of their products.

By monitoring security risk, the industry will be able to drive security updates and incident response. Insurance companies can also play a role by insisting that the devices they cover are secure and resilient.

Dr Moe adds that Sintef is collaborating with various stakeholders to find a ways to drive device security.