A recent US Homeland Security alert calls attention to the vulnerability of pacemakers, insulin pumps, and other health equipment to malicious attacks. As devices become smaller and more efficient, more attention must be paid.
Last week, the US Department of Homeland Security issued an alert concerning the use of hard-coded passwords for approximately 300 medical devices, including but not limited to anesthesia equipment and drug infusion pumps. The alert comes after researchers at security firm McAfee discovered last year how to reprogram an implanted insulin pump to deliver 45 days’ worth of insulin at once. Also, in 2008, a paper described how implantable defibrillators could be reprogrammed remotely to deliver unnecessary shocks.
What’s the Big Idea?
The right types of data in the wrong hands could be used to change medical device firmware settings in potentially life-threatening ways. Although there have been no known cyberattacks of this type, that doesn’t mean they couldn’t happen someday, given the known vulnerabilities that exist. Plus, as the technology becomes smaller and more efficient, with smartphone add-ons and nano-sized implants in the very near future, the risk of malicious activity will only increase. For these reasons, University of Michigan computer scientist and paper co-author Kevin Fu warns that device manufacturers need to have the same levels of safety quality built into their production as do businesses in other high-risk industries like avionics.