SF Gate

Saturday, August 17, 2013
  • Insulin pumps, like this one used by 6-year-old Merrick Horne in 2011, might be vulnerable to hacking. Photo: Michael Macor, The Chronicle
    Insulin pumps, like this one used by 6-year-old Merrick Horne in 2011, might be vulnerable to hacking. Photo: Michael Macor, The Chronicle


In the world of hypothetical cybercrime, not much is scarier than the hacked medical device.

Compromised pacemakers played a central role last year in an episode of TV’s “Homeland” and provided a macabre side note to this year’s Black Hat conference for hackers.

It wasn’t science fiction: There’s ample evidence that it’s possible to seize control of such implants from a distance. There’s just no evidence that’s ever happened.

Still, regulators and computer security experts are dedicating a fair amount of attention to warding off such threats. On Thursday, the Center for Internet Security, a nonprofit group that advises government agencies and private companies, said it was beginning work on a set of guidelines for medical devices, beginning with insulin pumps. It is soliciting the cooperation of hospitals and device manufacturers through the end of August and plans to issue its guidelines by the end of the year.

FDA guidance

This follows a warning by the Food and Drug Administration, which alluded to potential shortcomings in medical devices and said it was developing guidance on how manufacturers should address them.

Medical hacking entered the public eye in 2011, when hackers began showing it was possible. Jay Radcliffe, a computer security expert working for IBM, delivered a presentation at a hacking conference showing that he could take control of an insulin pump and manipulate the amount of insulin it provided, potentially killing the user.

The revelation led to a spate of angry letters, concerned congressmen, and eventually, the FDA guidelines issued this year. Radcliffe also began working with medical device manufacturers to help secure their products.

New vulnerabilities continue to arise. In June, ICS Cert, part of the Department of Homeland Security, reported that it had found security holes in 300 medical devices being made by 40 companies, which it declined to name.

This summer, Radcliffe returned to Black Hat to discuss medical hacking. Another computer security researcher who had focused on medical devices, Barnaby Jack, was scheduled to give a presentation about how he had successfully hacked into a pacemaker, but days before the conference, Jack was found dead in San Francisco. A medical examiner is investigating the cause.

“We certainly don’t want people to lose faith in these devices,” Jack said July 18 in an interview with Bloomberg News. “But certainly any threats, no matter how minor, need to be eliminated.”

Jack, who previously worked at computer security firm McAfee, made headlines at the Black Hat conference in 2010 when he demonstrated his ability to hack stand-alone ATMs. He was able to hack them in two ways – remotely and using physical keys that come with the machines.

More gaining skill

In an interview with Vice magazine shortly before his death, Jack said it had taken six months to hack the pacemaker.

“It does take a specialized skill, but with more and more security researchers concentrating on embedded devices, the skill set required is becoming more common,” he said.

Considering the varying rates of technical innovation among hackers, medical companies and regulators, it’s likely that the health care industry will always be at least a half-step behind. Meanwhile, as medical devices continue to utilize wireless technology, the manufacturers will continue to face the tension of straddling two worlds, says Chester Wisniewski of Sophos, a security firm.

“There are very few security people in the medical device industry, and there are very few medical people in the security industry,” he said.

Joshua Brustein is a Bloomberg Businessweek writer. E-mail: jbrustein@bloomberg.net