Of all the technologies to be compromised by hacking, medical devices are definitely the scariest to think about. Sure, hacking a computer or cell phone might give intruders access to valuable personal information, but messing with a medical device puts patients at risk. And although the exact difficulty of hacking certain medical equipment is unclear, connected medical devices, especially those worn directly on the body, are always at risk for security breaches by a seasoned hacker.
Students at the University of South Alabama have taken it upon themselves to show how disastrous the effects of tampering with medical devices could be by spending a couple of hours tinkering with a medical grade human simulation implanted with a pacemaker. iStan, according to his manufacturer CAE Healthcare, is “the most advanced wireless patient simulator on the market, with internal robotics that mimic human cardiovascular, respiratory, and neurological systems.” iStan helps medical students learn procedures without the threat of killing anyone. He can sweat, cry, talk, and respond to 300 different kinds of medications and procedures – his physiological response is essentially the same as a biological human.
iStan is obviously more vulnerable to an attack than someone with no connected devices because he’s a robot. But he’s likely about as hackable as a typical pacemaker, which has been shown before to be vulnerable to attacks that can deliver fatal jolts of electricity. According to a Motherboard article, that’s exactly what the students found out they were able to do. After successfully gaining access to iStan’s functions, they reasoned that his pacemaker could be vulnerable to denial of service, brute force, and security control attacks.
They could have used the simulator’s pacemaker to speed iStan’s heart rate, slow it down, and if it had a defibrillator (which most pacemakers do) they could have shocked him into cardiac arrest. The students wanted to see how easily they could manipulate the device to develop safeguards, and the university’s hospital is planning to find ways to encrypt data wirelessly transmitted between medical devices. The team of students have also published their results, which have not been peer reviewed yet.
I’m not trying to force undue anxiety on any readers out there who do have a connected pacemaker – I seriously doubt hackers (unless they were complete psychopaths) would seek out and destroy anyone wearing one. But the game changes when you consider high-profile individuals who wear these devices.
Those in the spotlight are already wary of calling attention to medical concerns like having a pacemaker because of … not wanting to appear weak, or something like that? (Though I don’t fully understand why – I would applaud the tenacity of someone willing to undergo all that stress with such a debilitating condition.)
Now that there’s a potential security threat, no celebrity or high-profile public official would dare spread the news that they’re wearing a pacemaker. Either that, or they would opt for a lower-tech “dumb” device, which raises issues of its own – it’s far more advantageous to wear a pacemaker that can be remotely monitored and collect data to personalize treatment. That’s quite the double-edged sword: a lower standard of care or a potentially fatal security threat. I have no idea what I’d do given that decision.
The student hackers didn’t test iStan with any other devices, but if a connected pacemaker is at risk surely other connected devices could be manipulated with similarly disastrous effects. A connected insulin pump might be altered to administer fatally high doses, or equally as fatal, none at all.
Further, I’m sure implantable neurostimulators are going to become connected at some point, and cybersecurity issues for those had better be completely resolved. (Though sadly, hackers’ ingenuity will inevitably increase alongside security improvements.) It’s not clear what could happen if the stimulation was increased, but I can’t imagine it would be pretty. I’m not saying mind control is going to happen, but we don’t fully understand the brain as it is. I’d rather not see a hacker experimenting with altering the electrical pulses – while a stopped heart can be revived, electrical damage to the brain likely couldn’t.