The Evolution of Medical Device Cyber Threats: Past, Present, and Future | Ep. 6

In this episode of The Med Device Cyber Podcast, hosts Christian Espinosa and Trevor Slattery explore the evolution of medical device cybersecurity threats, charting a course from the past, through the present, and into the future. They begin by examining the origins of medical device hacking concerns, citing the notable case of former Vice President Dick Cheney in 2007. Cheney was so concerned about the wireless capabilities of his pacemaker that he had them disabled for fear of an assassination attempt. This fear was later validated by security researcher Barnaby Jack, who proved it was possible to remotely hack a pacemaker and deliver a fatal shock. The hosts further detail Jack's influential 2011 Black Hat demonstration where he successfully hacked an insulin pump, forcing it to dispense a lethal dose of insulin from a distance. This and similar vulnerabilities found in Johnson & Johnson insulin pumps and Smith Medical's drug infusion pumps highlighted the life-threatening potential of insecure medical devices, many of which use wireless protocols like Bluetooth that can be exploited from farther away than commonly believed. The discussion then transitions to the current state of medical device cybersecurity. The hosts acknowledge the industry's progress, driven significantly by new, more stringent guidance from the FDA released in 2023. This guidance mandates a 'secure by design' approach for new devices, requiring manufacturers to implement robust security controls throughout the entire product lifecycle, from initial requirements and design to post-market surveillance and disposal. A key component of this modern approach is transparency, particularly through the use of a Software Bill of Materials (SBOM), which lists all software components within a device. This allows healthcare providers and security professionals to better understand and manage potential risks. However, the hosts emphasize that a massive challenge remains: the prevalence of legacy devices. There are millions of older medical devices still in the field that were designed and deployed before these security standards existed, leaving them vulnerable and creating difficult dilemmas for patients who must weigh the risk of a cyberattack against the risk of undergoing surgery to replace a recalled device. Looking ahead, the podcast delves into the future of medical device threats, focusing on emerging technologies like autonomous surgical robots and Artificial Intelligence (AI). While today's surgical robots are operated by surgeons, the future promises fully autonomous systems that could perform surgeries without direct human control. A cyberattack on such a device could be catastrophic, with no human operator to intervene in a malfunction. The hosts also discuss the dual role of AI in cybersecurity. While AI tools are being developed to help defenders analyze threats and automate security responses, malicious actors are also harnessing AI to craft more sophisticated and automated attacks. This sets the stage for a future where the cybersecurity landscape becomes an ongoing battle of AI versus AI, with medical device security at the heart of this evolving conflict.

Christian: Yeah, so in this episode, we're going to cover the evolution of medical device cyber threats, some of the past, the present and the future. Christian: So let's start off with the past. You want to start off a little bit, Trevor, some of the history of medical devices and cybersecurity attacks against them? Trevor: Yeah, so, what I, one thing that is sort of a early on device attack that has seen a little bit of coverage was actually some concerns that Dick Cheney had around 2007, relating his pacemaker. Trevor: So he had a lot of concerns that there could be an assassination attempt against him since his pacemaker had a wireless connectivity feature. And he was very concerned that someone could hack into it and try to kill him. Um, interestingly enough, there was a security researcher who was able to prove that his concerns were founded. They were able to take pacemakers and as a proof of concept, effectively change the functionality and assassinate someone with a pacemaker. So, it was, that was one of the original, kind of notable events in 2007 where medical device cybersecurity was really coming into, coming into play. Christian: Yeah, and that's like 17 years ago. This is pretty amazing. I think a lot of people don't realize implantables such as pacemakers have wireless functionality, and it's typically Bluetooth, because they occasionally need a firmware update. So you have to, you don't want to take it out of the patient every time you want to update it. So you do it with Bluetooth. And often data is read off of that device, such as diagnostic data or data about the patient. So that's why it has some sort of wireless capability. Christian: And then, we've also got hacks with the mysterious guy, Barnaby Jack, kind of a funny name, that he hacked an insulin pump, and was able to deliver the maximum dose of insulin over and over and over and cause somebody to die. He didn't do it on a real patient, but he did a demonstration at Black Hat, and this was in 2011. So only four years later. And these insulin pumps, what he was able to do was use a high-power antenna and connect to an insulin pump from a far distance and manipulate it that way. Trevor: Yeah, and then Barnaby Jack was the same guy who actually was discovering that pacemaker attack and was able to do the proof of concept as well, isn't that correct? Christian: He, yeah, he heard about the threat to Dick Cheney, from my understanding, and wanted to validate that that was a legitimate threat, and he proved he could do it. He proved he could connect to a pacemaker and shock somebody over and over and over. Uh, and he, you know, he likes to use these high-power antennas so he could do it from a a distance. A lot of people think Bluetooth is you have to be super close, but I've heard people sniffing and connecting to Bluetooth devices like a mile away if you have a high-power antenna. Trevor: Oh, that's really interesting. Yeah, I know that a lot of times we'll see uh proximity as a security control around Bluetooth. Someone will say, well, there's not really much likelihood of exploitation just due to the fact that Bluetooth is such a close-range communication. But that's not always the case. And, yeah, with specialized equipment, you can attack it from pretty far away. Christian: Yeah, there's a thing called a blue sniper rifle that is designed to connect to Bluetooth a mile away. It's a very directional antenna. It looks like a an actual rifle. You probably shouldn't walk around with it in downtown Phoenix or anything, but, you know, or New York specifically, California. But yeah, this guy did this research, was able to sniff Bluetooth from a mile away and connect to Bluetooth devices. So, yeah, proximity is not always a good defense, especially with wireless. We like to use it as a defense, but it's not really, not unless you have a Faraday cage or something. Trevor: Yeah, I think Arizona is probably the only place where you can walk around in a major city with a rifle and nobody's going to ask you any questions. Christian: Yeah, that's why I switched it to California or New York because I I was thinking, if I walked around with my rifle or even my shotgun, probably nobody's going to say anything. Because I've seen people in liquor stores with like a a gun in their holster. Uh, and I think, man, this is kind of interesting. This guy's in a liquor store, he might have been drinking, and he's got a gun like in a holster, um, you know, outside his waistband carry as a, you know, not concealed carry but open carry. So it's kind of interesting. Trevor: Yep. Trevor: So, similar to the insulin pump attack that Barnaby Jack discovered, uh, Johnson & Johnson disclosed a vulnerability in 2015 that was essentially a copy of that problem that Barnaby Jack had discovered in the past. Uh, this was, attackers could essentially get into the pump without any access controls. They were able to hack into it and then, same thing, crank up the dose to the maximum level and just continually apply maximum dose and essentially cause someone to die as long as they have this insulin pump. And this whole thing, again, was a remote connection. Christian: There's been a lot of attacks against these pumps, like insulin pumps. And then, I know in 2017, there was a vulnerability discovered in Smith Medical's Medfusion pump. This is more of a drug infusion pump. Drug infusion pumps are used to administer any type of drug, not just insulin. And if you can increase the flow rate by one of these attacks, you can kill somebody. So imagine you have a patient that needs some sort of drug for pain such as, um, such as morphine. And if you can increase the flow, the flow rate of morphine wirelessly by connecting the drug infusion pump, you can cause this person to OD and die. So these, there's severe consequences with these medical device hacks. Trevor: Yeah, and kind of tying into the same devices getting hacked over and over, um, at a similar point, I believe it was right around the same time, um, Medtronic had pacemakers with, same thing again, someone was able to control the pacemaker and cause malfunctions that could either lead to the pacemaker not performing its intended function or just actually cause detrimental effects to the patient. Christian: Yeah, and I think they issued a recall on the pacemakers. Imagine you're a patient with an implantable pacemaker in you. I think they have to do some sort of open-heart surgery to put a pacemaker in there, I imagine. And then it's recalled. Now, what do you do? Do you decide to live with the risk that this pacemaker may be attacked, with a cybersecurity attack? Or do you go back to the doctor and have it removed and have another one put in? Like, which risk is greater? And, you know, that's something, if I'm a patient, that's that's a tough decision, I imagine. Trevor: Definitely. Yeah. I mean, open heart surgery is pretty famously scary for a good reason. You don't want that if you don't need it. And having to weigh out that balance of, well, if my pacemaker gets hacked into, I can very well die from that, or I need to undergo a risky surgery to have this replaced. It's a difficult decision to make, and I think that's why there's been such a big push across the industry for security in the first place. Not having these retroactive security concerns for devices that are later found to be vulnerable. Identify what the vulnerabilities are now, and then you're not going to have to worry about it down the line. Christian: Right. We want to do our best to design security into the device. And in going to the present time, it was last year that the FDA came out with new guidance in 2023. But there is a shift in the industry to securely design medical devices, um, or have secure medical devices that were, from requirements to design to disposal, the whole life cycle, they are secure. And a lot of people have wondered about the legacy devices that are out, currently in the field, if they need to be updated, such as these pacemakers and other devices. What what do you know, what have you heard about the legacy devices? Trevor: It's a really hard issue to tackle. You have, they're estimated to be around 2 million unique medical devices out in the field right now. Christian: What do you mean by 2 million unique? Does that mean, like, out of those 2 million, they're all different types of devices? Trevor: 2 million unique products. There's, of course, plenty of overlap. There, you know, how many different insulin pumps out there. But 2 million unique products. And each one of these has its own unique threat landscape, attack surface, and potential problems. Trevor: So, with such a massive number, it's really hard to track down all of these legacy devices, and it's a very difficult problem to come across. A lot of what is done is a push for increased security research against these older devices. I know you briefly touched upon the new FDA guidance as of last year, but the security requirements around cyber devices, which is essentially any device with a computer attached, any medical device with a computer attached, have gone up significantly. The security controls are very strict, there's very strict testing requirements to try to prevent these problems from happening. Now, with these pre-approved devices that were approved before this guidance came out, they didn't go through the same process. So there's been a push across the industry to try to have more responsible research and responsible vulnerability disclosure, which is good-faith security research. So, that's good guys, the good hackers with good intentions, trying to find these devices and finding problems for the better good, and not trying to exploit them for their own personal gain. And then they were able to inform these manufacturers. Manufacturers are able to get and inform the FDA. But without an official, strict process in place, it's still a slow, tedious process. And right now, it's definitely a pretty big concern to have all of these legacy devices out there in the open. Christian: Yeah, 100%. I I think a lot of people are having to do annual tests against those devices and and do some updates with them because there is a huge risk with them out there. And the FDA is also pushing for transparency. So if I'm a device manufacturer, I'm supposed to be transparent about the cybersecurity risk with my device. So, a patient or a healthcare provider, whoever is going to use that medical device, understands the risk before they purchase it or decide to, you know, to have a pacemaker implanted, for instance. Trevor: So as part of a transparency, that would be talking about some of the parts of the device and everything going into it. Isn't that correct? Christian: Yes, the parts of the device such as all the third-party software that make up the device, what controls make up the device. So if I'm going to buy something, I can understand, at least the best I can, in layman's terms, what the cybersecurity risk is for that device. Trevor: That makes sense. I know, kind of a similar analogy would be looking at a car. Like, if you buy a car, you're going to want to know all the parts that go into it. And if there's a problem with one of those parts, then you're able to address it at that level instead of just having a problem in the entire device. Christian: That's the transparency. It's called a software bill of materials. So if I buy a medical device that has software in it, the whole supply chain of all the software, because people that, like, develop, software developers that develop software, borrow code from other places. So that the software bill of materials lists all the code that was borrowed from other places that makes up the overall software, kind of like the car you said, you know, if you buy the Cybertruck, talk about cyber, I don't know why they call that thing the Cybertruck. I hate that that term for that truck. I don't even like that. Trevor: Looks all space-age. Christian: Is that what it is? Trevor: Yeah, it's, you know, supposed to look like something out of cyberpunk or just that style. It's all angular, super harsh, brutalist-looking. Christian: Yeah. Well that thing is supposed to have, if I'm going to buy it and understand the risk, I want to know, like, who made the engine, who made the, and that might be a bad example with a Tesla, but who made the uh tires, who made the brakes, so, you know, that way I know where everything came from. Trevor: Yep. I've seen more of those things being hauled away, those cyber trucks, by like a a gasoline um tow truck than I've seen them actually working, I feel like. Trevor: Yeah, every time I see news about them, it's something like, "Oh yeah, children get locked in the back of the cybertruck and then it just won't open when the battery dies," or if you have it in a cold environment, it doesn't work at all. I know there, a couple people up here in Flagstaff with Cybertrucks. You see them once in a while. And it just makes no sense. They have, I think, 40% reduced battery up here. Christian: Because the altitude? Or because of what? Trevor: Because it's so cold, it's, you know, it's like four degrees in the morning here. Christian: Yeah, that- these are the risks that need to be articulated. I mean, the Cybertruck's not a medical device, but the same concept because I I've heard here in in Phoenix, in "the valley," as they say, it gets super hot, like 120 degrees. And I've heard the batteries of some of these cars, like the Cybertrucks, have drained and people have gotten locked in the vehicle because they don't know how to unlock it because you can't open the door without the battery. Uh and that is a huge risk, especially if you're trapped in a car when it's 120 degrees and it's just going to get hotter and hotter and hotter while the windows are up. Trevor: Definitely. Isn't it crazy? We're like a two-hour drive apart and we have exact opposite problems. Here it's too cold for cars to run and there it's too hot for cars to run. Christian: Yeah, when my, my car overheated not too long ago. And I, I remember you said something, I thought it was funny, about, uh, if you buy a Tesla, it comes with a new personality. What do you mean by that? What do you mean by that? Trevor: Well, the first thing you ever hear about anyone who drives a Tesla, like, I think about, anytime I go take an Uber, I just got back from Black Hat in Las Vegas and I can't stand driving in that city and I can't stand parking in that city even more. So I'll just take an Uber everywhere I'd go. And if I got in a regular car, like just, you know, a Honda Civic or whatever for the Uber, the guy would just say, "Hey, how's it going?" and talk about something else. If I got into a Tesla, the first thing that came up was that guy's Tesla, every single time. It is the focal point of a lot of Tesla owners. Christian: Yeah, and they should probably, for transparency, say it comes with, I think they call it range anxiety with the Teslas, is that right? Trevor: Range anxiety. Christian: Because you're always afraid you might run out of battery without a charger nearby or something. Yeah. I don't have, I'm not a fan of electric, electric cars. Um, I'm a fan of electric go-karts but not electric cars. Trevor: I think go-karts are fun. Christian: Yeah. So we've covered, um, some of the past with medical device cybersecurity, a little bit of the present with the FDA's guidance and how to handle legacy, and what currently, what currently we're doing to improve medical device security. And some of the future-looking, um, lens for medical device cybersecurity. Is anything, anything we should add to our sort of walk-through of the history of medical device cybersecurity here? Trevor: No, I think that's a pretty good, we kind of covered a lot of the big points, just looking at how medical device cybersecurity has come into the public eye a little bit more and then where we see it going in the future. Christian: Awesome. And for some reason I was thinking about that Tesla again. I, I know you bought a new car recently. Did you buy a Tesla or a Cybertruck, or did you buy something different? Trevor: I did not. I got a Jeep, and that Jeep runs on gasoline, and that Jeep is not going to have any problems once the winter rolls around. Christian: That's true. I did, I didn't know the Teslas had so many problems in the cold and in the heat. I thought it was just in the heat, but you're telling me they have problems in the cold too. Trevor: Yeah, batteries in general just don't like the cold up here. And also, we get like ridiculous amounts of snow and ice, and I don't think Teslas handle that very well. Christian: Cool. Well, I'm, you're not going to see me buying a Tesla anytime soon. I like Elon Musk, I just don't like Teslas. I prefer gasoline vehicles. Trevor: Yep. Christian: Awesome. Well, I hope everyone that tuned in got some value out of our evolution of medical device cyber threats, the past, present, and future. And hopefully you gained some insights. And we look forward to seeing you on our next episode. In the next episode, we're going to be talking about the human factor and how that contributes to a lot of the incidents and issues with medical devices. Thanks for tuning in. See you, see you next time.