Computers and smartphones aren’t the only electronics that can be hacked. Alarmingly, during the past few years several researchers have found that wireless and wearable medical devices, like pacemakers, insulin-delivery systems, and neural implants, are vulnerable to cyber-attacks. Though none have reportedly been hacked in field use yet, researchers have been hard at work finding ways to secure such medical devices before it’s too late.
A team of professors and graduate students from Purdue University, in West Lafayette, Ind., and Princeton University recently developed a prototype firewall that could go a long way in warding off attacks.
The group includes Meng Zhang, an electrical engineering graduate student at Princeton; IEEE Fellow Anand Raghunathan, a professor of electrical and computer engineering at Purdue; and IEEE Fellow Niraj K. Jha, a professor of electrical engineering at Princeton.
The team was inspired to develop its prototype, Medmon, after researching the vulnerability of a variety of medical devices in 2011, including pacemakers, glucose-monitoring and insulin-delivery systems, neural implants, and so-called smart prosthetics. “Our work showed that these are surprisingly easy to hack,” Raghunathan says.
“The correct functioning of implantable and wearable medical appliances is life-critical,” he says. “Any security attacks that can disrupt them, or even leak private information, are of great concern.”
Breaking into an insulin pump is not difficult, and it takes only a small investment. “A few research groups, including ours, have shown that medical devices can be hacked using relatively inexpensive [worth less than US $1000] off-the-shelf equipment such as a PC and a software-programmable radio,” Jha says. “We were able to snoop on sensitive health information and take control of the insulin pump to prevent the delivery of insulin or to deliver it when it was not needed.”
Although the likelihood of someone’s insulin pump being hacked is considered low, the researchers say it’s important to act now, before an incident occurs.
Developing Medmon was a challenge, according to the researchers. Unlike your computer, medical devices are more complicated when it comes to protection. “Unfortunately, many of the solutions that have been developed for other classes of computing platforms, such as servers, PCs, and mobile phones, cannot be used for medical devices due to the extreme computation and battery constraints,” Raghunathan says, “and because of the unique way medical appliances are used.”
Medmon works by monitoring all communications to and from wireless medical devices in its vicinity, using algorithms such as multilayered anomaly detection to spot malicious communications.
“It triggers response mechanisms that could warn the user or jam the malicious communication,” Raghunathan explains. “This is similar to how firewalls secure home or corporate computer networks, by identifying and blocking malicious traffic.”
In a test, the researchers used Medmon to protect against an attack on a diabetes patient’s system consisting of a glucose monitor and an insulin pump. Although the prototype still needs work, the team predicts several possibilities for it. Medmon could be built into a separate unit worn by a patient with a medical implant or a wearable device, Jha says, or it could be integrated into a mobile device such as a smartphone or watch. “But this will require us to significantly reduce the size of our prototype while increasing its energy efficiency,” he adds.
“In the long run, it would be great to design security into the medical devices themselves,” Raghunathan says. “But in the meantime, solutions like Medmon could offer a safety net.”