Medical Device IMD Hacking Rebecca Earnhardt Researcher Project Manager UMD STARTUnconventional Weapons and Technology Division Preliminary Research Do NOT Cite or Quote Research was Conducted Independently of STARTUMD ID: 931664
Download Presentation The PPT/PDF document "Hacking the Human Body? Cyber-Bio Crosso..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Hacking the Human Body?
Cyber-Bio Crossover: Implantable Medical Device (IMD) HackingRebecca Earnhardt, Researcher / Project ManagerUMD START-Unconventional Weapons and Technology Division
Preliminary Research - Do NOT Cite or Quote – Research was Conducted Independently of START-UMD
1
Slide2The “Cyber” and “Bio” Crossover
Dual-use concernsEase burden on patient vs. increasing intrusion risksSynthetic development of pathogensGenBank
® access and other genetic sequence databasesDe novo synthesis of horsepox virus to improve vaccines vs. concerns about smallpox reemergenceIntellectual property protection
Democratization of biotechnology vs. protection against biohacking
Increasingly connected and mechanized health management
Remote monitoring of medical devices vs. malicious outside interference
Preliminary Research - Do NOT Cite or Quote – Research was Conducted Independently of START-UMD
2
Slide3Case: Implantable Medical DevicesSmaller, increasingly powerful, and progressively connected along with an aging population
200,000+ cardiac devices installed annually in the U.S. (World Survey of Cardiac Pacing and Implantable Cardioverter-Defibrillators)20-30% of patients with Type 1 diabetes mellitus use continuous blood glucose monitor and insulin pump systemsDramatically increased use of vagus nerve stimulators, prompting “brain control” concerns
“[U.S.] demand for implantable medical devices is forecast to increase 7.7 percent annually to $52 billion in 2015.” (Freedonia)
Preliminary Research - Do NOT Cite or Quote – Research was Conducted Independently of START-UMD
3
Slide4Concern Dates Back“In
2007, then-U.S. Vice President Dick Cheney ordered some of the wireless features to be disabled on his defibrillator due to security concerns. When asked if he would recommend other patients do the same, Cheney said not necessarily. "You've got to look at all eventualities and do whatever you have to safeguard the capabilities of the individual...” - Jim Finkle
, “U.S. government probes medical devices for possible cyber flaws,” Reuters
Preliminary Research - Do NOT Cite or Quote – Research was Conducted Independently of START-UMD
4
Slide5Medical Device Hacking: Worried Well or Warranted Concern?Oct 2016 – Johnson & Johnson One Touch Ping insulin pump system
In interviews with Reuters, Johnson & Johnson recognized the system vulnerabilitiesBlack Hat hacker, Jerome Radcliffe, demonstrated insertion of malicious code to trick device into injecting fatal dose of insulin
Jan 2017 - Critical defects in St. Jude Medical Center’s implantable cardiac device and Merlin@home transmitterStatement issued by FDA concerning the cyber vulnerability
Radio-frequency enabled and
WiFi
connectivity2008 experiment demonstrated the ease with which engineers were able to alter RF-enabled cardiac devices
Preliminary Research - Do NOT Cite or Quote – Research was Conducted Independently of START-UMD
5
Slide6Who Would Hack a Medical Device?
A new breed of adversary – cyberbioterrorist?Initial scans indicate lone actors motivated to commit insurance fraud or targeted assassinationOthers suggest different subsets: spies, insiders, and “interferers”
Worst case: adversaries combining capabilities to conduct multiple, simultaneous hacksPreliminary Research - Do NOT Cite or Quote – Research was Conducted Independently of START-UMD
6
Slide7Issues with Extant
AnalysesSuperficial, lacking grounding in adversary behavioral modelingLack of consistent tracking of potential hacking cases by FDAExploration of the supply-side dominated by technology-focused analyses instead of focusing on the adversarial
demand-sideOpportunity is the focus while the adversary is ignored
Preliminary Research - Do NOT Cite or Quote – Research was Conducted Independently of START-UMD
7
Slide8Taking a Balanced ApproachFuture work includes incorporating technology adoption behavioral modeling into current technology-focused analyses
Many decision points and idiosyncrasies that may prohibit adversary adoptionPreliminary Research - Do NOT Cite or Quote – Research was Conducted Independently of START-UMD
8
Slide9Contact:Rebecca Earnhardtrearnhar@umd.edu
Preliminary Research - Do NOT Cite or Quote – Research was Conducted Independently of START-UMD9