What the hack!

Digital world has become a common place to read about the most secure sites and the most confidential data falling prey to hackers. But can hackers find their way into hacking medical instruments like pacemakers, insulin pumps and more ? We find out

It looks like a perfect movie script: Cyber criminals are assigned to assassinate high profile personalities using pacemakers. They take over the latter’s life by taking charge of the medical equipment they wear or use. Quite the hack, you’d say?

‘Medjacking’, or medical device hijacking, is a real cyber security threat and to healthcare systems. The idea had originated in the popular TV show Homeland way back in 2012, where terrorists were provided a serial number to hack the pacemaker of Vice-President William Walden. Homeland’s premise, however, was built around a real life story — of former US Vice President Dick Cheney, whose pacemaker’s wireless capabilities were disabled to thwart possible assassination attempts.

Virtual dangers
Fictional plots aside, can such horrifying scenarios really play out in real life too? Yes they can, say experts. About 465,000 pacemakers were recently implicated in a major hacking risk.

A security flaw in a pacemaker by the US medical device-maker Medtronic makes it possible for hackers to take control of the device and deliver malware to the computers implanted in someone’s chest.

So also, it’s only natural that closer home, the Modi government recently issued an alert about insulin pumps and pacemakers being vulnerable to hackers who can connect to them and control delivery of the hormone into a patient’s body.

In addition, last year, Abbott had recalled over five lakh pacemakers. Additionally, in 2016, Johnson & Johnson (J&J) divulged to patients the security vulnerability in an insulin pump that could be exploited by hackers to overdose diabetic patients with insulin.

These insulin pumps are designed to communicate using wireless radio frequency (RF) with other devices such as blood glucose meters, glucose sensor transmitters and certain CareLink USB devices.

Cyber nightmares closing in
Given the increasing number of healthcare equipment — from cardiac monitors to glucometers — being equipped with wireless connectivity and sensors, the number of potential exposure points only increase, giving way to black-hat hackers. So when an internet-connected device is implanted in body to help maintain heart rate or regulate the insulin in bloodstream, security lapses can literally be hazardous to your health.

“Electronic devices can be programmed like the remote of a TV. Pacemakers, in particular, can be controlled by devices that can increase or decrease heart rates to dangerous levels. Similarly, insulin pumps can be controlled and levels of insulin can be modified, which can lead to coma or death,” affirms Dr Sunil Kapoor, senior Consultant Cardiologist, Apollo Hospitals.

Mukesh Choudhary, founder & CEO, CyberopsInfosec, also concurs that hackers can find vulnerabilities in almost any system and gain control over the device and its controls. “Recently, a medical company discovered vulnerabilities in common infusion pumps that are intended for the metered injection of drugs into a patient’s organisms. And this, hackers can kill patients. Internet of Medical Things (IoMT) is designed to broaden the attack surface for healthcare organisations. It is expected that by 2020, almost 650 million IoMT devices will be used. An attacker with such access can launch extortionist viruses in the hospital system or replace patient images,” says.

Sophisticated and unsecure
Elaborating more on the topic, Dr Ravi Sankar Erukulapati, Senior Endocrinologist, Apollo, says, “There are many types of insulin pumps. The basic ones are simple, but some sophisticated insulin pumps have higher functions such as the ability to control using a remote control. While such functions improve patient comfort and usability of the device, they have their own downside. For instance, if a technically competent individual with wrong intentions remotely takes control of a patient’s insulin pump, there can be catastrophic consequences, such as wrong insulin dose delivery, stalling the insulin pump, creating hypoglycemic episodes or muting the safety beep features in the insulin pump.”

Given the gravity of the situation, the Central Drug Standard Control Organisation’s (CDSCO) in Delhi had also sent out an alert sometime in May this year. “Any unauthorised person with special technical skills and equipment can connect wirelessly to a nearby insulin pump to change settings and control delivery of the hormone,” it said.

“In view of such risks, it is of paramount importance that insulin-pump manufacturers, or for that matter all medical device manufacturers, take all necessary precautions to avoid such misuse of the devices. After all, technology is a double-edged sword," adds Dr Ravi, as he signs off.