In the second season of the show, Homeland, the Vice President of the United States was assassinated by terrorists. In an elaborate plot, hackers were able to obtain the Vice President’s pacemaker identification number and then remotely cause him to die of a heart attack.
As the fictional Vice President slumped over and took his final breaths, many viewers were left wondering if medical device hacking is the stuff of science fiction or if it is something that could actually happen.
In fact, one of the viewers of that night’s episode happened to be former Vice President, Dick Cheney, who had a device implanted to regulate his heartbeat in 2007. In an interview with “60 Minutes” Cheney said, “I found [the depiction] credible because I knew from the experience that we had assessing the need for my own device that it was an accurate portrayal of what was possible.”
To illustrate this risk in the real world, security expert, Jerome Radcliffe, himself a diabetic, demonstrated how a hacker could remotely turn off a diabetic person’s insulin pump or manipulate any of its settings without the person’s knowledge.
In 2013, another security expert, Barnaby Jack, was slated to give a presentation called, “Implantable Medical Devices: Hacking Humans.” This presentation was also referred to as, “how to kill a man at 30 feet by hacking his pacemaker.” Jack had developed a software that allowed him to remotely send an electric shock to anyone wearing a pacemaker within a 50-foot radius. Unfortunately, due to his untimely death, this presentation was cancelled.
Although the hacking of wireless infusion pumps and other medical devices has yet to happen, it is now considered a critical cyber security vulnerability. While much of the focus has been on the ability of hackers to harm patients directly, an additional prize for hackers lies in gaining entry to a hospital or medical center network. A medical device might just be the entry point hackers seek.
Hospitals store a wealth of records containing sensitive data such as financial, medical and identity information. What if hackers could hijack a pump and use it to access this extremely attractive trove of data or create a large-scale disruption of operations?
As this critical vulnerability only continues to generate more attention, the FDA weighed in during its first cyber security conference on medical devices. In its statement, the FDA urged medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyber security threats.
In addition, the U.S. Department of Homeland security began investigating a number of suspected cyber security flaws in various medical devices and hospital equipment that officials feared could be particularly vulnerable to cyber attack.
Meanwhile, at a recent NIST (National Institute of Standards & Technology) conference in Minneapolis, a number of attendees compared hospitals’ infusion pump vulnerabilities to those exploited at Target last year. In that instance, hackers breached the retail giant’s defenses by sneaking in a side-door intended for use by an HVAC contractor. In the end, hackers obtained personal data on over 70 million Target customers.
As our professional and personal lives become more intertwined with technology and hackers become more creative in the ways they attack, it only becomes more apparent that data security is absolutely critical.
The Solution: Unbreakable Data Encryption
As the digital and physical worlds continue to collide, it will only become more important for institutions to implement stringent data security measures in order to stay a step ahead of hackers.
Data encryption should be seen as the cornerstone of any defense system. More specifically, companies should partner with a data security provider that offers ‘Zero-Knowledge’ privacy.
Essentially, ‘Zero-Knowledge’ privacy means that your data is encrypted and no one, other than you and those you grant permission to, can access your data. By utilizing this system (client-side encryption) you are the only one holding the encryption keys that unlock your data. Since you alone are in possession of the keys, your data is never at risk of being unlocked, stolen or misused, either by internal threats or external attacks. You are the only one who can unlock your data, not a hacker, not your IT staff, not even the government.
While a number of data security providers offer data encryption, ‘Zero-Knowledge’ privacy takes the concept a step further. Most data security companies will store your encryption keys along side your encrypted data. This makes the data viewable by anyone with access to your storage facility, whether that is on your network or in the cloud. Unless you are the only one holding the keys to your data, encryption is meaningless.
With a sound, unbreakable data encryption system in place, any hacker attempting to breach a hospital’s defenses and access sensitive patient information will be met with nothing more than a useless and undecipherable jumble of numbers and letters.
The Solution: Irrefutable Identity Management
Along with unbreakable data encryption, an irrefutable identity management system is also critical to a successful cyber security strategy.
As demonstrated by the Apple celebrity photo hacking scandal, all too often hackers are able to break through a company’s defenses by stealing usernames and passwords. With this type of attack becoming more common, it is wise for companies to utilize multi-factor authentication. This type of authentication can consist of a number of different options, such as biometric login. This way a company can always be sure that the person attempting to access valuable data is who they say they are.
Along with stringent log-in standards, it is also important that a company utilizes a system that sends out a notification when any malicious intent is detected. For example, if a user attempts to access files more often than approved or files they are not approved to access, it is important for an alert to be sent out before damage is done.
As hackers become more sophisticated and more creative in the ways they attack, data encryption alone is no longer considered a solution. However, unbreakable data encryption (‘Zero-Knowledge’ privacy) along with irrefutable identity management together make for a significant barrier against hackers.