Recently there have been a slew of notices warning people their information may have been hacked from Target, LinkedIn, and other websites and shops that use and store electronic information. Because of the rampant speed at which information is getting easier to hack, people are asked to make more complicated passwords, banks are moving to chip cards, and security questions are becoming more personal. But what if there was a way to hack into electronic medical devices like pacemakers?
There is, and it’s called Brainjacking.
On July 31, 2015, the FDA released a warning to healthcare facilities using the Hospira Symbiq Infusion System. The Hospira Symbiq Infusion System is a computerized pump designed for the continuous delivery of fluids, such as nutrients or medication, into a patient’s body in controlled amounts.
It is primarily used in hospitals and other healthcare facilities. This infusion system communicates with a Hospital Information System (HIS) over facility networks (i.e.: the Internet). Hospira and an independent researcher found this system could be hacked so that an unauthorized party could control this device, and thus, control a patient’s medication without their consent.
This is not the first security breach of medical devices. In 2011, Jay Radcliffe, a network security expert, hacked his own insulin pump utilizing the wireless connection which pairs to a glucose meter telling the pump how much insulin to dispense.
In 2011 and 2012, Barnaby Jack, a famous hacker, demonstrated the ability to hack an insulin pump as well as a pacemaker. He developed software that allowed him to remotely send an electric shock to anyone wearing a pacemaker within a 50-foot radius. Additionally, he came up with a system that scans for any insulin pumps that communicate wirelessly within 300 feet, allowing someone to hack into them without even needing to know the identification numbers. They could then set the pumps to dish out more or less insulin than necessary, sending patients into hypoglycemic shock or ketoacidosis.
The problem with these security breaches is that someone could potentially use these hacks to blackmail the patient - demanding payment for proper dispensing of medication, ultimately avoiding death. Even if hackers won’t go that far, they could still hack your medical device to retrieve your personal information.
In a paper published in World Neurosurgery, scientists and neurosurgeons explore the reality of brainjacking with Deep Brain Stimulation (DBS) implants.
These implants are surgically embedded in the brain and deliver electrical impulses to block signals from targeted areas in the brain. DBS implants are often used for patients with Parkinson’s disease when other medications fail to work, treating symptoms such as tremors, stiffness, and walking problems. DBS is also used to treat other neurological disorders like depression and essential tremor. Researchers found brainjackers could manipulate the actual device, draining the battery or sending shocks large enough to induce tissue damage. Even scarier, brainjackers could use the device to impair motor function, alter impulse control, or modify emotions since they essentially have a direct link to the brain.
The paper states:
Attacks could be made for a variety of reasons including blackmail, malice against an individual, or manipulation of a politically notable individual. The motive need not even be rational; in 2008 a website for epilepsy sufferers was attacked using flashing images designed to trigger seizures, with the attackers’ apparent motivation being amusement
While this is a scary scenario, the security of technology gets better every day. Apple recently came out with Touch ID, a fingerprint recognition feature to unlock your phone. They also have options to create a password to unlock your phone instead of a 4 digit pin, which is much easier to hack. Although there are additional factors to take into consideration with medical devices, such as ease of patient use and size, the more difficult to hack security features of the iPhone means there could be better security for medical devices on the horizon.
Aptly named, Enclothed Cognition is the official Medelita blog for medical professionals interested in topics relevant to a discerning and inquisitive audience. Medelita was founded by a licensed clinician who felt strongly about the connection between focus, poise and appearance.