Thanks for your interesting article. There are many medical devices that need to be revisited over the next few years and have preventive protection as it pertains to data security or security in general. Remember, technology is everywhere. Technology is used with printers? Watches? The list goes on and on. So engineers and medical professionals need to work together and come up with medical designs to address security.
Your are completely right, it is just a matter of time! Thanks for sharing the link, it is impressive how they can get the encryption keys even through hibernation files in computers that are turned off!
For us at Freescale Semiconductor, security through hardware and software is key to enable this new generation of future markets, if we, as an industry fail to provide a safe ecosystem for wearables, attachables, implantables and general medical devices, this interesting market might not grow to the expectations of everyone.
You are right! there was a session at Black Hat about that, it was quite controversial. I am glad it is raising awareness to all of us who are in the business. I can tell you as a practising medical doctor, we are always excited when technology brings us alternatives to cure, treat or prevent a disease in one of our patients.
However, we have seen also cases of really promising technologies/devices that were withdrawn from the market, even after FDA market approval because all the potential risks were not fully identified.
If I remember it correctly, in the case of the insulin pump there was a wireless connection with no encryption at all. That's not acceptable! I hope that the discussion will improve the security awareness of the manufacturers. And does an insulin pump really need a wireless connection instead of USB for instance? Of course, it is more comfortable for the users. But I think: security first!
It is good to see the a doctor becoming a technologist and addressing the design issues related to medical devices. More and more such collaborative effort is required as newer and newer medical appliances and health monitoring devices get developed.
I think to address the security issues of such devices the third party - a security expert -has to get involved in the design of such devices . Also ethical hackers can become part of the design team to asses the possible security threats and eliminate them at the design stage.
I think it's true that it is a matter of time for a system to be cracked open, so, a good countermeasure is for a system to be changing every periodic or random amount of time. That is. the encryption keys or also the algorithm itself to encode the encryption keys. This could be changed every now and then and so this provides another level of security right?
And... let's reconsider everything here. If we're concerned with security... against which kind of attack are we concerned? Someone trying to kill someone who depends on a body embedded insulin pump? This would be a medical treatment and any medical treatment is optional, the user can opt to use it or not. The user has to understand the risks.
Also, some regulations could rule out the use of these kind of devices for certain kind of people. Like us "Joes" very probably we can say we don't have enemies. But perhaps a known politician could and so as a security level, these kind of embedded medical wireless devices could be ruled out for them.
Thus, this makes us think that security can be addressed not only with technological developments but also with regulations, and that's where FDA and DHS comes in to place.
Does the medical industry have the means today to test all devices to make sure that they are not vulnerable to security threats? Who is responsible for this? I wonder what the legal situation would be if a device were hacked and a patient was injured.