Your are completely right, it is just a matter of time! Thanks for sharing the link, it is impressive how they can get the encryption keys even through hibernation files in computers that are turned off!
For us at Freescale Semiconductor, security through hardware and software is key to enable this new generation of future markets, if we, as an industry fail to provide a safe ecosystem for wearables, attachables, implantables and general medical devices, this interesting market might not grow to the expectations of everyone.
Does the medical industry have the means today to test all devices to make sure that they are not vulnerable to security threats? Who is responsible for this? I wonder what the legal situation would be if a device were hacked and a patient was injured.
What you may be seeing here is the birth of a new industry, just like computer security. We may be seeing contracters in the medical field specializing in implant security before too long. Kind of makes "penetration testing" seem like a very apt term.
You are right! there was a session at Black Hat about that, it was quite controversial. I am glad it is raising awareness to all of us who are in the business. I can tell you as a practising medical doctor, we are always excited when technology brings us alternatives to cure, treat or prevent a disease in one of our patients.
However, we have seen also cases of really promising technologies/devices that were withdrawn from the market, even after FDA market approval because all the potential risks were not fully identified.
Thanks for your interesting article. There are many medical devices that need to be revisited over the next few years and have preventive protection as it pertains to data security or security in general. Remember, technology is everywhere. Technology is used with printers? Watches? The list goes on and on. So engineers and medical professionals need to work together and come up with medical designs to address security.
If I remember it correctly, in the case of the insulin pump there was a wireless connection with no encryption at all. That's not acceptable! I hope that the discussion will improve the security awareness of the manufacturers. And does an insulin pump really need a wireless connection instead of USB for instance? Of course, it is more comfortable for the users. But I think: security first!
You are right, that is totally unacceptable! usually insulin pumps do need some kind of wireless protocol, mostly to communicate with the control unit. Right now the user needs to input some data through the control unit in order to control de amount of insulin that is released, or in order to avoid a recurrent dosis administration, when for example skipping a meal.
Some efforst are being done to actually communicate to continuous glucose monitors, so that the articificial pancreas will be built!, wireless will be needed.
It is good to see the a doctor becoming a technologist and addressing the design issues related to medical devices. More and more such collaborative effort is required as newer and newer medical appliances and health monitoring devices get developed.
I think to address the security issues of such devices the third party - a security expert -has to get involved in the design of such devices . Also ethical hackers can become part of the design team to asses the possible security threats and eliminate them at the design stage.
I think it's true that it is a matter of time for a system to be cracked open, so, a good countermeasure is for a system to be changing every periodic or random amount of time. That is. the encryption keys or also the algorithm itself to encode the encryption keys. This could be changed every now and then and so this provides another level of security right?
And... let's reconsider everything here. If we're concerned with security... against which kind of attack are we concerned? Someone trying to kill someone who depends on a body embedded insulin pump? This would be a medical treatment and any medical treatment is optional, the user can opt to use it or not. The user has to understand the risks.
Also, some regulations could rule out the use of these kind of devices for certain kind of people. Like us "Joes" very probably we can say we don't have enemies. But perhaps a known politician could and so as a security level, these kind of embedded medical wireless devices could be ruled out for them.
Thus, this makes us think that security can be addressed not only with technological developments but also with regulations, and that's where FDA and DHS comes in to place.
The security concerns for hacking into bio-implants are real...but we need to put that into perspective, nobody has died yet...25,000 people die in car accidents in US alone, similar number die in US in hospitals due to wrong diagnosis or wrong medication...I won't mention wars or large natural disasters
As far as I'm concerned, internet connected configuration of implants is probably a rediculous idea. what you need is remote monitoring, but to tinker with setting afar I think not. Have a small hall sensor that can be enabled by a magnet to enable setup functions and have the actual setup via a 10 or 20kHz carrier system that only works from cm's away and you address 99,99% of the issues. Then for someone to kill you they have to be within a knife's distance anyway so it becomes a moot point. Internet reconfigurable impalnts is even more crazy that enabling the reprogramming of a car from a distance