Friday, November 09, 2012

Struth I Hope They Sort This Out and Quick. The Perfect Murder?

This turned up a few days ago.

Death by defibrillator: FDA called to address hacking risk

By Brian Alexander, NBC News Contributor
It sounds like a scenario out of a James Bond movie: a villain spots his quarry and uses a small device to hack into the official’s heart defibrillator, sending a signal for mayhem. There’s chest grabbing, and a collapse, and alarms, but the bad guy walks free because there’s no gun, knife, poison dart -- no evidence at all a murder has been committed.
According to a recent report by the Government Accountability Office (GAO), a non-partisan agency that works for Congress, not only is such a scenario possible, there’s a growing danger that grandpa’s heart rhythm device, or, say, a child’s insulin pump – any implantable device that can be accessed remotely --  could be susceptible to hacking.
But the GAO report suggests that the Food and Drug Administration, which approves and regulates such devices, has been behind the curve when it comes to security and now is calling for the agency to set guidelines for manufacturers to help combat the threat of hacking.
According to the report, which had been requested by members of Congress in light of tests by researchers revealing the vulnerability of the medical technology, “there have been four separate demonstrations in controlled settings showing that the intentional exploitation of vulnerabilities in certain medical devices is possible.” The report stressed that there have been no proven cases of anybody actually doing this for nefarious purposes.
Still, when he released the GAO report, Congressman Edward J. Markey (D-Mass.), one of the requesting legislators, issued a statement saying that  “wireless medical devices are susceptible to increasingly advanced hacking techniques that could threaten patient health.”
The susceptibility stems largely from their wireless communications abilities, explained Nathanael Paul, chief scientist at the Center for Trustworthy Embedded Systems at Oak Ridge National Laboratory. In 2010, Paul and a colleague demonstrated they could hack into an insulin pump, like the one Paul himself wears to treat his Type 1 diabetes.
Thanks to wireless communication, doctors can download diagnostic information and health status from the device to a computer and make changes in the performance of a device without surgery. For example, defibrillators can be programmed using a wand that communicates with the device inside a patient’s chest.
Lots more here.
Oh dear, oh dear!
Good to know all this has apparently not happened yet...as far as we know!
Sort this one out guys - and fast.
David.

4 comments:

Kris said...

Wow. Amazing the dark turn of our minds, isn't it? Do you ever ask yourself WHY on earth we, as a species, would fritter away our talents and efforts on damaging others like this? Tamper-resistant packaging, bomb-sniffing dogs, hacked insulin pumps--what is wrong with us?

Anonymous said...

And of course just in case the nefarious souls out there hadn't even thought about doing any such thing, the so called powers-that-be that are trying to protect people have now put the idea in their heads by making statements like this publically!!!!

Way to go the 'bright' (?) people.

Anonymous said...

Well, not so silly really. It is an extreme example of what might happen, but it captures attention. And that is much needed, because nothing is happening in this country to convince me that the safety of e-health is being taken seriously. We have an at best lip service process, just focussed on PCEHR (that most non-clinical of clinical systems), and the rest of e-health remains unregulated and unexamined. Yet this week in the New England Journal we see how seriously it is being taken in the US. Why do we have to wait for something significantly negative to happen before we do the right thing?

Anonymous said...

@ first Anonymous
It is good (Information) Security Practice that vulnerabilities are exposed so something will be done about it. Security by Obscurity is never the way to go. http://en.wikipedia.org/wiki/Security_through_obscurity