Expert Review of Medical Devices

ISSN: 1743-4440 (Print) 1745-2422 (Online) Journal homepage: http://www.tandfonline.com/loi/ierd20

Security of implantable medical devices with

wireless connections: the dangers of cyber-attacks

Laurie Pycroft & Tipu Z. Aziz

To cite this article: Laurie Pycroft & Tipu Z. Aziz (2018): Security of implantable medical devices
with wireless connections: the dangers of cyber-attacks, Expert Review of Medical Devices, DOI:
10.1080/17434440.2018.1483235

To link to this article: https://doi.org/10.1080/17434440.2018.1483235

Accepted author version posted online: 04

Jun 2018.

Submit your article to this journal

Article views: 3

View related articles

View Crossmark data

Full Terms & Conditions of access and use can be found at

http://www.tandfonline.com/action/journalInformation?journalCode=ierd20
Publisher: Taylor & Francis

Journal: Expert Review of Medical Devices

DOI: 10.1080/17434440.2018.1483235

Security of implantable medical devices

with wireless connections: the dangers of

t
cyber-attacks

ip
cr
Mr Laurie Pycroft1 and Tipu Z. Aziz

us
1) Oxford Functional Neurosurgery, University of Oxford, John Radcliffe Hospital, Headington,
Oxford OX3 9DU
an
2) Oxford Functional Neurosurgery, University of Oxford, John Radcliffe Hospital, Headington,
Oxford OX3 9DU)

Correspondence to Laurie Pycroft laurie.pycroft@nds.ox.ac.uk

M

Keywords: Brainjacking, cybersecurity, deep brain stimulation, hacking, IMD, implant, implantable
pulse generator, implantable medical device, insulin pump, medical device security, pacemaker,
ed

security

1. Introduction

Modern wireless implantable medical devices (IMDs) began to be widely introduced to medical
pt

practice in the early 2000s, when devices such as cardiac implants, insulin pumps, and neurological
implantable pulse generators (IPGs) started featuring wireless clinician controls and monitoring
ce

functions. Enabled by rapid advances in technology, modern IMDs have developed these functions
to the point that clinicians and patients can use their smartphone to control and monitor implants
wirelessly either by directly connecting the two devices (e.g. via Bluetooth) or connecting them via
the internet.
Ac

Though the advantages offered by wirelessly connected IMDs are substantial, there is a burgeoning
risk of devices being disabled or subverted by attackers (i.e. malicious hackers) because of failures in
cybersecurity. Wireless control features allow attackers to manipulate IMD settings from beyond the
immediate vicinity of the patient, while networked IMDs (i.e. those connecting to internal hospital
networks or the internet) are at risk from attacks originating anywhere in the world.

The risk of most individual patients suffering serious harm due to cybersecurity failures in their IMD
is currently small, but the rapid proliferation of IMDs coupled with their increasing variety of
features is increasing the risk at an alarming rate. Some patients, such as prominent public figures,
may be at greater than typical risk of attack; then-US Vice President Dick Cheney reportedly
requested that the wireless functions of his implanted cardiac device be disabled to reduce the risk
of politically-motivated assassination via IMD cyber-attack. Successful attacks could do great harm to
patients and, when reported in the media, could unfairly tarnish the reputation of lifesaving medical
implants.

Cybersecurity research into IMDs has revealed that several devices are vulnerable to attacks of
varying severity. Cardiac implants have been demonstrated to contain potentially lethal security
flaws [1–3], as have implantable insulin delivery pumps [4,5], and our group has raised concerns
regarding risks specific to neurological implants [6]. Recently, Marin and colleagues directly
demonstrated serious vulnerabilities in the proprietary wireless protocols of an implantable
neurostimulator, enabling them to perform an array of software attacks.

t
Opportunities for attack have been found in IMDs made by a range of manufacturers, designed to

ip
treat a variety of conditions. There is little reason to believe that the devices tested were cherry-
picked. As such, collectively this research suggests that security vulnerabilities in IMDs are the norm
rather than the exception.

cr
us
2. Existing threats

Recent years have seen increasing recognition of cybersecurity risk in implantable medical devices
and more generally throughout medicine. In 2015 the FDA issued its first safety communication
an
regarding cybersecurity risk, warning clinicians regarding security flaws in Hospira external drug
infusion pumps [7]. In 2016 Johnson & Johnson released a warning about vulnerabilities in their
OneTouch implantable insulin pump system [8] following publication by independent security
research firm Rapid7 [9], setting the standard for responsible disclosure of vulnerabilities.
M

Less responsible was the 2016 disclosure by security research firm Medsec and investment firm
Muddy Waters regarding security flaws in the St Jude Merlin@Home pacemaker monitoring system,
which gave rise to a lawsuit [10] and raised serious ethical questions. This incident resulted in an
ed

unprecedented FDA recall – the first related to cybersecurity – of the St Jude pacemaker system in
2017 including a software update to rectify the issues [11]. Recent ransomware attacks on hospital
networks, disabling critical medical devices and compromising patient data, also clearly demonstrate
pt

the risks of insecure medical computer systems and underscore the importance of improving IMD
security.
ce

Wireless IMDs, as currently used in medical practice, exhibit many vulnerabilities. Communication
between the IMD and a base-station or programmer device can be intercepted and, if the signals are
not protected by encryption and/or authentication protocols, an attacker can collect or alter the
information, potentially while positioned hundreds of metres away. Even if protected by encryption,
Ac

which many existing devices are not, the mere presence and pattern of such signals can provide
information that could be valuable for an attacker.

The base-station or programmer can also be the target of interference; its communications with
other devices on a wireless network (or over the internet) can be collected and altered, and the
device can be compromised through physical or remote introduction of malicious code. This latter
issue is of importance as IMDs are increasingly designed to interface with consumer electronic
devices such as smartphones and tablet computers, opening up the possibility of malware targeting
the consumer device and thereby gaining access to programmer applications that control the IMD.
Potential attacks are not limited to digital systems, with analogue sensor and effector components
of IMDs being vulnerable to spoofing attacks [12].
These technical vulnerabilities are compounded by the human factor of everyday clinical practice.
Lax security procedures when connecting to hospital networks (e.g. leaving computers unlocked
when away from one’s desk), poor interface designs that make it expedient for clinicians to ignore
security features, bad practices such as use of default passwords on medical devices, and a simple
lack of awareness of cybersecurity risks can all open otherwise securely designed IMDs to potential
attack.

The consequences of these vulnerabilities, should they be exploited, are varied and potentially
profound. Theft of data and denial of treatment are possible across almost all wirelessly connected
IMDs[13], with battery-draining attacks being particularly feasible to conduct and damaging to
patient health. Cardiac implants and implanted insulin pumps can be manipulated to induce cardiac

t
rhythms, or deliver an insulin bolus, that may be lethal [1,3,4]. Neurological implants, generally

ip
having more complex but less life-critical functions, are vulnerable to attacks with a broader range of
consequences, including influencing the patient’s thoughts and behaviour[6]. This latter risk has

cr
raised challenging legal and ethical questions, particularly regarding patient autonomy [14–16].

Modern IMDs typically contain personal information stored in their memory. Basic details such as

us
contact details for the patient’s physician, date of birth, and name can all be leveraged by an
attacker to engage in social engineering and identity theft. More technical information, such as the
stimulation settings of the IMD or the rate of battery drain, may be used to infer details of a
patient’s condition, which an attacker could utilise to facilitate attacks relying on specific
an
pathological states [6]. Also concerning from a security perspective is the biometric information that
these devices are increasingly collecting. Closed-loop IMDs utilise physiological data gathered by
sensors to better control electrical stimulation or drug delivery via effector components, but these
M
data may be of value to attackers who wish to determine details of a patient’s pathology, or even
potentially access information regarding a patient’s mind-state, as demonstrated by Martinovic and
colleagues, who successfully employed side-channel attacks against a non-invasive brain-computer
interface system and thereby revealed participants’ private information [17].
ed

We should emphasise that, though these attacks are technically possible today, many of them
require a high level of sophistication that would be prohibitive for casual attackers. Undertaking such
an attack relies upon relatively basic and inexpensive equipment [1,4,18], but also requires
pt

knowledge of both wireless device cybersecurity, biomedical engineering and, for more complex
targeted attacks, physiology [6,13]. This combination of skills is unlikely to be found in typical cyber-
ce

criminals, and most highly competent attackers would have more valuable targets available. We are
aware of no evidence that any successful attack has taken place on an IMD to date. However, due to
lack of auditing logs on most IMDs, it may be extremely difficult to identify the occurrence of such an
attack from the background noise of routine device failures. Side-channel attacks revealing patients’
Ac

private information would be especially hard to identify, given the lack of direct interference with
the IMD, and may be particularly attractive to attackers seeking to engage in identity theft; this
combination of deniability and profitability suggests that identifying and guarding against such
attacks should be a high priority for stakeholders.

3. Solutions

From machine learning algorithms to wearable devices, a plethora of technical solutions have been
proposed to alleviate IMD security concerns [13]. A detailed review of such solutions is beyond the
scope of this article; instead we will focus on some general recommendations for stakeholders to
consider when designing and using IMDs. These recommendations can be thought of as
enhancements to existing quality control and management systems, expanding established best
practices to cover novel technologies.

Our key recommendations:

1. Auditing – IMDs should keep detailed logs of device activity and access events. This
facilitates diagnosis of faults, both malicious and unintentional, and can be combined with
mechanisms to detect anomalous activity and report it to the patient or clinician.
2. Bug reporting – Postmarket surveillance should include improved mechanisms for

t
identifying security flaws and patching them swiftly. Independent security researchers

ip
currently face impediments to responsibly reporting bugs, which manufacturers must work
to reduce.

cr
3. Multi-factor authentication – By requiring more than one form of authentication, accessing
an IMD becomes more challenging for attackers. Biometric information specific to the
patient, or access controls that require close proximity to the patient, are relatively easy to

us
implement as access requirements and would substantially increase security if used well.
4. Education – Current awareness of cybersecurity risk among clinicians appears low, and IMD
manufacturers’ efforts in designing secure devices have been lacking in the past. Initiatives
an
to better propagate awareness of this risk, and the means of reducing it, may work to
improve security and increase public confidence in IMDs.
M
If implemented correctly, these recommendations would doubtless increase IMD security. However,
this implementation is by no means trivial, largely due to the technical limitations imposed by IMDs,
the two most prominent of which are reliability and battery life. As lifesaving medical interventions,
ed

IMDs must provide extremely reliable functionality, operating flawlessly for years of normal life and
during medical emergencies. Clinicians must be able to interact with the device even when the
patient is unconscious and their medical history is unknown, creating the challenge of having
mechanisms which both prevent unauthorised access and allow emergency access. The requirement
pt

that IMDs be compact necessitates small batteries, reducing the available processing power and
memory available for security features. This impediment is diminishing somewhat over time as
ce

rechargeable IMDs become more common and component power requirements diminish through
technological advancement, although the development of novel features causes competition for the
limited device power available.
Ac

Encouragingly, some manufacturers are taking heed of security researchers’ warnings and including
security concerns in their concept stage designs. The Johnson & Johnson disclosure [8] has
demonstrated that manufacturers can take a responsible approach to IMD security flaw disclosure,
and various FDA workshops and consultation events have helped to foster a more open approach to
security. These trends should all be supported and expanded upon.

4. Conclusion

Implantable medical devices have already improved the lives of millions worldwide and offer a
promising future, with a greater variety and quality of IMDs treating more disorders with increasing
efficacy. Though currently small, the risk of cyber-attacks on wireless IMDs is likely to increase
alongside device complexity and prevalence, potentially resulting in substantial harm to patients and
a public perception that IMDs carry unacceptable risks.

Designing IMDs that are perfectly secure is, as with any computer system, practically impossible.
Trade-offs between security and other design goals are necessary to produce IMDs that function
acceptably from a clinical perspective. Nevertheless, many modern IMDs feature elementary
security flaws that raise serious concerns. Manufacturers, clinicians, security researchers, and
regulators should collaborate to develop more robust mechanisms for designing secure devices and
maintaining good security practices once they enter clinical practice.

t
Funding

ip
This paper was not funded.

cr
Declaration of Interests

us
The authors have no relevant affiliations or financial involvement with any organization or entity
with a financial interest in or financial conflict with the subject matter or materials discussed in the
manuscript. This includes employment, consultancies, honoraria, stock ownership or options, expert
an
testimony, grants or patents received or pending, or royalties.
M
Reviewer disclosures

Peer reviewers on this manuscript have no relevant financial relationships or otherwise to

disclose.
ed

References
pt

Papers of special note have been highlighted as either of interest (•) or of

considerable interest (••) to readers.
[1] *Halperin D, Heydt-Benjamin TS, Ransford B, et al. Pacemakers and Implantable Cardiac
ce

Defibrillators: Software Radio Attacks and Zero-Power Defenses. 2008 IEEE Symp. Secur. Priv. IEEE.
2008. 129–42

- Landmark study from Kevin Fu's lab, being the first to practically demonstrate cybersecurity
Ac

vulnerabilities of an IMD

[2] Robertson J. Hacker Shows Off Lethal Attack By Controlling Wireless Medical Device.
Bloomberg.com. 2012. Available from: http://go.bloomberg.com/tech-blog/2012-02-29-hacker-
shows-off-lethal-attack-by-controlling-wireless-medical-device/

[3] Marin E, Singelée D, Garcia FD, et al. On the (in)security of the latest generation implantable
cardiac defibrillators and how to secure them. Proc. 32nd Annu. Conf. Comput. Secur. Appl. - ACSAC
’16. 2016

[4] *Raghunathan A, Jha NK. Hijacking an insulin pump: Security attacks and defenses for a
diabetes therapy system. 2011 IEEE 13th Int. Conf. e-Health Networking, Appl. Serv. 2011. 150–6
- Another landmark study, demonstrating vulnerabilities in insulin pumps and glucose monitors

[5] Radcliffe J. Hacking medical devices for fun and insulin: Breaking the human SCADA system.
Black Hat Briefings. 2011

[6] *Pycroft L, Boccard SG, Owen SLF, et al. Brainjacking: implant security issues in invasive
neuromodulation. World Neurosurg. 2016. 92:454-62

- Detailed review of cybersecurity risks in neurological implants, including specific attack scenarios
that raise challenging ethical concerns.

[7] FDA. Cybersecurity Vulnerabilities of Hospira Symbiq Infusion System: FDA Safety

t
Communication. 2015 [cited 2018 May 25]. Available from:

ip
http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm456815.htm

[8] Finkle J. J&J warns diabetic patients: Insulin pump vulnerable to hacking. Reuters. 2016

cr
[cited 2018 May 25]. Available from: https://www.reuters.com/article/us-johnson-johnson-cyber-
insulin-pumps-e/jj-warns-diabetic-patients-insulin-pump-vulnerable-to-hacking-idUSKCN12411L

us
[9] Beardsley T. Multiple Vulnerabilities in Animas OneTouch Ping Insulin Pump. Rapid7 Blog.
2016 [cited 2018 May 25]. Available from: https://blog.rapid7.com/2016/10/04/r7-2016-07-
multiple-vulnerabilities-in-animas-onetouch-ping-insulin-pump/

[10]
an
*Ransford B, Kramer DB, Foo Kune D, et al. Cybersecurity and medical devices: A practical
guide for cardiac electrophysiologists. Pacing Clin. Electrophysiol. 2017. 40:913–7

- Useful practical guide to IMD security, with tips that are helpful beyond cardiac electrophysiology.
M
Also has a very useful writeup of the St Jude Medical/Muddy Waters incident.

[11] FDA. Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott’s

(formerly St. Jude Medical’s) Implantable Cardiac Pacemakers: FDA Safety Communication. [cited
ed

2018 May 25]; Available from:

https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm

[12] Kune DF, Backes J, Clark SS, et al. Ghost talk: Mitigating EMI signal injection attacks against
pt

analog sensors. Proc. - IEEE Symp. Secur. Priv. 2013

[13] **Camara C, Peris-Lopez P, Tapiador JE. Security and privacy issues in implantable medical
ce

devices: A comprehensive survey. J. Biomed. Inform. 2015. 55:272–89

[14] Ienca M, Andorno R. Towards new human rights in the age of neuroscience and
neurotechnology. Life Sci. Soc. Policy. 2017. 13:5
Ac

[15] *Ienca M, Haselager P. Hacking the brain: brain–computer interfacing technology and the
ethics of neurosecurity. Ethics Inf. Technol. 2016. 18:117–29

- Fascinating ethics paper dealing with the challenges of brain implant cybersecurity

[16] Pugh, J, Pycroft, L, Sandberg, A, et al. Brainjacking in Deep Brain Stimulation And Autonomy.
Ethics Inf. Technol. 2018. In press

[17] Martinovic I, Davies D, Frank M, et al. On the Feasibility of Side-Channel Attacks with Brain-
Computer Interfaces. Usenixorg. 2012
[18] Marin E, Singelée D, Yang B, et al. Securing Wireless Neurostimulators. Proc. Eighth ACM
Conf. Data Appl. Secur. Priv. 2018. 297–8

t
ip
cr
us
an
M
ed
pt
ce
Ac