Killed by code
Back in 2011, I thought it would only be a question of time before we have a drive by execution of a politician with an ICD (implanted cardiac device).
There was a flurry of excitement about this sort of remote-control exploit that sort of died out although the vulnerabilities continue to surface.
There was even an episode of CSI New York that used the concept of an EMP to kill a person with an ICD.
In fact, a radio exploit of an ICD or embedded insulin pump might be almost impossible to identify unless the device itself was logging external commands and transmitting them to an external monitoring service.
Attack scenarios are always a question of cost/benefit
While it’s possible that the ICD suppliers have improved their security — I think that the real reason for not exploiting ICD vulnerabilities to kill old heads of state like President Biden is simple. You have to be really close to the person for the ICD to receive the signal and once you’re that close there are cheaper options like a gun.
But still, the FDA is on it
By Jan 9, 2017 FDA reported in a FDA Safety Communication on “Cybersecurity Vulnerabilities Identified in St. Jude Medical’s Implantable Cardiac Devices and Merlin@home Transmitter.
At risk:
- Patients with a radio frequency (RF)-enabled St. Jude Medical implantable cardiac device and corresponding Merlin@home Transmitter
- Caregivers of patients with an RF-enabled St. Jude Medical implantable cardiac device and corresponding Merlin@home Transmitter
- Cardiologists, electrophysiologists, cardiothoracic surgeons, and primary care physicians treating patients with heart failure or heart rhythm problems using an RF-enabled St. Jude Medical implantable cardiac device and corresponding Merlin@home Transmitter
Mobile security is really important
I’ve been talking to our medical device customers about mobile security of implanted devices. I gave a talk on mobile medical device security at the Logtel Mobile security conference in Herzliya and discussed proof of concept attacks on implanted cardiac devices with mobile connectivity.
We will soon be an IoB — Internet of Bodies
Implanted cardiac devices are the extreme corner case of mobile medical devices.
If a typical family of 2 parents and 3 children currently have 7–8 connected devices, it is a reasonable scenario that this number will double with devices for fetal monitoring, remote diagnosis of children, home-based urine testing and more.
Mobile medical devices are becoming a pervasive part of the Internet of things; a space of devices that already outnumber workstations on the Internet by about five to one, representing a $900 billion market that’s growing twice as fast as the PC market.
The political, regulatory and cyber dimensions
There are 3 dimensions to medical device security — regulatory (FDA), political (Congress) and cyber (vendors implementing the right cyber security countermeasures)
The FDA is taking a tailored, risk-based approach that focuses on the small subset of mobile apps that meet the regulatory definition of “device” and that:
- are intended to be used as an accessory to a regulated medical device, or
- transform a mobile platform into a regulated medical device.
Mobile apps span a wide range of health functions. While many mobile apps carry minimal risk, those that can pose a greater risk to patients will require FDA review. The FDA guidance document provides examples of how the FDA might regulate certain moderate-risk (Class II) and high-risk (Class III) mobile medical apps. The guidance also provides examples of mobile apps that are not medical devices, mobile apps that the FDA intends to exercise enforcement discretion and mobile medical apps that the FDA will regulate in Appendix A, Appendix B and Appendix C.
We need to start thinking past the politics and theater of security.
Mobile and medical and regulatory is a pretty sexy area and I’m not surprised that politicians are picking up on the issues. The extreme growth of connected wearables will create a big threat surface
But with over 1BN connected wearables in the US, India and China within 2 years — we should start thinking beyond the politics and theater of security.
