Hacking the Human Heart
Criminal Implications of Implantable Medical Devices
Since the dawn of the 1970′s television action show the Six Million Dollar Man, the public has been fascinated by bionics and the integration of technology into the human body. What once seemed to be a far-off science fiction fantasy, is increasingly, however, becoming real. For years, surgeons have been replacing human body parts with human donor-supplied biological alternatives. It has become commonplace in medicine to transplant a human heart, kidney or liver from a deceased individual and place it into a living donor. These procedures would have been unthinkable just 50 years ago, yet today are now commonplace.
The business of replacing damaged or missing body parts is not new. For example, the cultural image of a pirate with a “peg-leg” and a hook for an arm has been ingrained in our collective minds for some time. Yet vast improvements in prosthetics have been achieved since those days of yore. In fact, today’s modern prosthetics are significantly more sophisticated, with some even equipped with robotic components that are linked to bio-sensors capable of detecting signals from the human user’s nervous and muscular systems. These signals can be relayed to the replacement prosthetic limb and carry out the desired bio-mechanical activity. Thus today there is not just one bionic man to speak of, but many bionic men and woman who walk the earth.
As medical science progressed, entirely artificial organs have been created and implanted into human beings. Those alive in the 1980′s will recall the enormous global fanfare received by Dr. Barney Clark and his artificial heart. Dr. Clark was kept alive with the Jarvik 7 artificial heart for 112 days–a medical miracle at the time. Since then, vast improvements have been made in artificial body parts, making them smaller and more technically advanced.
Past prosthetic devices, such as Captain Hook’s replacement hand, were readily understandable and simple technologies. The Captain could remove and adjust the peg-leg and hook himself. Over time, however, as increasing waves of sophisticated technologies were incorporated into new medicial devices themselves. As evidenced with Barney Clark’s artificial heart, the device itself was connected to a phalanx of back-end technology which occupied an entire hospital room. While the artificial heart lied in Dr. Clark’s chest doing its work, it was attached to a number of external devices that physicians would visit in his hospital room to control the heart’s activities.
In the age of Moore’s Law and computer miniaturization, it should come as no surprise that these devices have shrunk significantly. Now, for example, a heart’s pacemaker may be placed wholly in a self-contained apparatus resting entirely within the human chest. There is no need for the constant connection to external devices, nor for the team of physicians to monitor the device at a patient’s bedside. Now it is possible for a heart pacemaker to work on its own, based upon a set of pre-established operating instructions.
In the United States alone, hundreds of thousands of internal heart defibrillators have been implanted to regulate the damaged hearts of patients needing such assistance, including many well-know individuals, such as former US Vice President Dick Cheney. As a particularly polarizing public figure, it would not be surprising to learn that Mr. Cheney had a number of enemies and it was the job of the U.S. Secret Service to protect him from any threat--including any potential attacks against the critical technology implanted in his chest and upon which his life depended.
As medical devices have evolved and miniaturized, they have developed the capability of being controlled wirelessly, including remotely over the Internet. The benefits are obvious– wireless and remote control of implanted medical devices allow patients much greater mobility and obviate the need for daily trips to a doctor’s office. In addition, these devices can dramatically lower health care costs, guaranteeing their wider user and acceptance moving forward.
These cost savings have lead to an increase in remote patient monitoring systems, which are proliferating beyond heart-beat regulation to other medical conditions, such as diabetic insulin pumps. While these developments will undoubtedly help patients and improve the quality of their lives, insufficient attention is being paid to the security of artificial medical devices.
While nobody worried about the 6 Million Dollar Man being hacked, the time has come to seriously consider the security protocols, or lack thereof, of today’s modern medical devices. The integration of technology into the human body has created opportunities for newer and more serious forms computer crime and hacking. In the past, a hacker might have been able to illegally enter a desktop computer system, read a targets personal data or even gain control of another person’s financial accounts. In comparison to the potential threat from Internet-based medical devices, the threats from “old-school” hacking seem mild by comparison.
As information technology is increasingly integrated with the human body, what forms of next generation criminal activity will be possible? An insulin pump connected to the Internet means a patients insulin levels might be tampered with to cause diabetic coma, shock and even death. An extra and unnecessary jolt from a pacemaker could lead to cardiac arrest. To a victim's family, these deaths would likely appear natural (given the poor pre-existing medical conditions of the victims). Even if a case were to go to the coroner’s office for review, how many public medical examiners would be capable of conducting a complex computer forensics investigation? The evidence of medical device tampering might not even be located on the body, where the coroner is accustomed to finding it, but rather might be thousands of kilometers away, across an ocean on a foreign computer server.
The rapid advances in medical technology, paired with the relative paltry consideration of security in medical devices, should be a wake-up call for those that build and implement these life-saving technologies. Given the public health issues at-stake, a closer regulatory approach should be considered as well as vigorous public discussion. Unless some steps are taken now to deal with medical device security, a whole generation of devices may be implanted which are subject to remote tampering and interference. Repairing the existing security holes in those devices would likely be more complex than downloading the latest “patch” from the manufacturer's servers. Rather, a security update might mean the necessity of a second surgical procedure to remove or upgrade an insecure device.
In the near future, the need to deal with medical device security will take on a greater sense of urgency, given the coming explosion in medical nanotechnology or nanomedicine. While the development of these technologies will surely alleviate human suffering and disease, unless the important security-related issues of integrated human-machine interaction are addressed, society may be confronted with a whole new meaning for the term “heart attack.”
See report on Heart Device Vulnerable to Hacker Attack @ the New York Times.