Is harming someone by hacking into their Internet-based wearable or implantable even possible? Absolutely, says Mark Goodman, a former FBI futurist.
Spoiler alert: if you’re a fan of Homeland and have yet to watch the 2012 episode where terrorists wreak havoc with Vice President William Walden’s Internet-based pacemaker, stop reading now.
If you have seen it, read on.
As you know, the episode revolves around a terrorist who hacks into the Vice President’s pacemaker and speeds up his heartbeat until he dies.
Fact? Fiction? The stuff of Hollywood? The answer is a resounding fact.
Hacking for harm is real
Marc Goodman, global security advisor, former FBI in-house futurist and the author of Future Crimes: Everything is Connected, Everyone is Vulnerable, and What We Can Do About It, says harm by hacking is a real risk for patients wearing implantable, wearable or ingestible devices.
Goodman says criminals have always been early adopters of weapons of mass destruction and hackable digital health devices are no different.
If you go back to the 30s and the Chicago gangland criminals of the day, they had automobiles before the police did, back when the cops were still on foot. They had machine guns when the cops were still using revolvers,” Goodman said in an interview on CBC Radio’s The Current.
Bad guys have always been incentivized to get the latest and greatest in technology. In the 80s they had pagers and mobile phones long before police officers and even before general citizens did. Back in those days it was only doctors that carried pagers. And now they have entered the Internet age and adopted a full range of technology to be able to cheat people.
Cheat people or worse, says Goodman.
Goodman argues that more and more of us are “plugging our lives” into the Internet, including the games our children play, our televisions, our microwaves, refrigerators and even pacemakers or other medical devices that have been implanted in patients.
Our whole world is becoming computerized – Marc Goodman
Remember Vice President Cheney's pacemaker?
In his work with the FBI, Goodman helped forecast the dark side of tech, whether it be ripping people off or harming them via body device hacking. And make no mistake. Remember the real Homeland storyline that hit Washington in 2007 when Vice President Dick Cheney's cardiologist disabled his wireless pacemaker for just that risk?
It seemed to me to be a bad idea for the vice president to have a device that maybe somebody on a rope line or in the next hotel room or downstairs might be able to get into—hack into - Dr. Jonathan Reiner of George Washington University Hospital in Washington, D.C.
Risk by the numbers
- There are 300,000 Internet-connected medical devices that are implanted in patients every year
- There are 60,000 Internet-connected pacemakers alone
Photo: Sadasiv Swain
Studies have shown these devices are entirely hackable. Be they pacemakers, diabetic pumps, and cochlear devices. Like all computers, they too are hackable – Marc Goodman
In a 2013 FDA Communication on medical devices, the agency urged digital health device manufacturers to “take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack.”
The communication went on to say the FDA has become aware of “cybersecurity vulnerabilities and incidents that could directly impact medical devices or hospital network operations, including:
- Network-connected or configured medical devices infected or disabled by malware
- Malware on hospital computers, smartphones and tablets, targeting mobile devices using wireless technology to access patient data, monitoring systems and implanted patient devices
- Uncontrolled distribution of passwords, disabled passwords, hard-coded passwords for software intended for privileged device access (e.g., to administrative, technical and maintenance personnel)
- Failure to provide timely security software updates and patches to medical devices and networks and to address related vulnerabilities in older medical device models (legacy devices)
- Security vulnerabilities in off-the-shelf software designed to prevent unauthorized device or network access, such as plain-text or no authentication, hard-coded passwords, documented service accounts in service manuals, and poor coding or SQL injection."
What this means is that for the first time in history, the human body is vulnerable to cyberattacks – Marc Goodman
Goodman cited a personal anecdote involving a visit to a friend who had a bionic arm that ran electronic impulses to this arm via a Blue Tooth smartphone app. Explaining that Blue Tooth is a hackable technology and theorizing that he could hack into his friend’s arm, Goodman took the phone and began pushing buttons. Within seconds, he was able to move his friend’s hand back and forth.
I had his phone in my hand but the fact he had Blue Tooth meant I could have hacked into his arm from anywhere. Moving forward, things like exoskeletons, military robotics that allow soldiers to carry a thousand kilos as if it were 10 will be coming to the civilian world for factory workers and the like. The application also extends to wearable devices like fitness monitors, Google Glass, implantable, wearables and digestible, which are little computers in pills that we will swallow that will go out and deliver the medicine at various amounts and times, all of which is entirely hackable.
Goodman says part of the problem is maleficent hackers who live for no other reason than to prove they can hack, and when they do, they hack big. Like the time, Goodman recounts, that hackers tore into the website of an epilepsy organization, taking down their helpful patient information and replacing it with flashing strobe lights, capable of inducing an epileptic seizure.
Why would anyone do that, you ask?
Why does anyone commit crime? If we knew the answer to that, our prisons would be empty and Hollywood would lose its addictive TV and film storylines.
As Goodman says, criminals will stop at nothing to disrupt people and property for their own gain, and the world of medical devices is no different. Where this all goes and how fast is the question.
Goodman’s prescription for preventing cyber health hacking
Manufacturers need to shift their focus from “let’s get it out there and worry about hacking later” to embedding security and encryption into their processes up front.
We need encryption by default where manufacturers can protect their data by encrypting it.
We need a different model for policing the Internet. An FBI agent cannot arrest a Canadian who commits a crime against an American via the Internet. Goodman recommends an epidemiological approach, i.e., the goal is not to arrest someone who has created a virus but rather focus on protecting individuals, governments and businesses from “getting sick.”
We need a World Health Organization for cyber health vulnerabilities. We face a threat from all of the emerging technology and we are not taking it seriously, so we need [to put entities in place] to build more resistant and resilient computing.
And as if you think it couldn’t get any more worrisome, check out one of Mark Goodman’s recent interviews with the Washington Post on the subject of biohacking—DNA: The next big hacking frontier
For more in depth information on what the FDA is doing to encourage greater protection against cyber health hacking, read the 2103 Communication in its entirety here.
The nuviun industry network is intended to contribute to discussion and stimulate debate on important issues in global digital health. The views are solely those of the author.