Guest Post by Paul Kostek (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
Hack a pacemaker? Is this a real problem?
Some recent experiments have been able to hack a pacemaker and other medical devices including an insulin pump. The weakness of these systems was the analog sensors attached to the body to gather information. These analog inputs bypass the internal security and are converted directly to digital signals.
From a risk perspective is this something medical device manufacturers , insurance companies and the medical professionals need to worry about? It was part of a conversation at the Black Hat @Design West Conference where considerable discussion was held on building defensive walls.
Manufacturers will need to consider what are the risks from an external source, what are the possible technology responses, and how does the cost balance with the risk. For anyone working in the application of risk the latter is an important question.
What risk are we willing to live with when we talk about devices placed in people?
What are the implications if an insulin pump is hacked and insulin delivery turned off? Increased?
Can we detect the hacking?
If we detect an attack, can we develop a default mode that will allow the device to continue to provide therapy while blocking the attempted hack? Do we let the user know?
All important questions that need to be addressed as part of the User Needs and requirements definition process.
Privacy: Another Important Question
What considerations will privacy play in these devices? HIPAA rules will have to be considered as security methods are developed. We’ll need to determine if the solution will have any impact on the privacy of the patient, also could the privacy decisions impact the technology solution? These will be questions that need to be addressed as we move forward with medical technology.
What happens as we move further along and develop more implantable devices? The balancing act is providing security while ensuring privacy and keeping costs of implementing security reasonable.
This will be the challenge for all of us in moving forward.
Paul J. Kostek is a Principal of Air Direct Solutions, a systems engineering/project management consulting firm. He works with companies in defining system architecture, system requirements, interface definition, verification planning, risk management and software development standards. Paul received his BS from the University of Massachusetts, Dartmouth. Paul works in a range of industries including: aerospace, defense, medical device and e-commerce.
Paul is a long-time volunteer with several professional engineering societies including IEEE, AIAA, SAE, INCOSE and PMI. He also writes for the CERM Risk Insights emagazine.