Episode 55 · December 24, 2024 · 23m listen · 3,130 words · ~16 min read

The Evolution of Medical Device Cyber Threats: Past, Present, and Future | Ep. 6 - Full Transcript | The Med Device Cyber Podcast

Read the complete, searchable transcript of Episode 55 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.

Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.

Episode summary

In this episode of The Med Device Cyber Podcast, hosts Christian Espinosa and Trevor Slattery explore the evolution of medical device cybersecurity threats, charting a course from the past, through the present, and into the future. They begin by examining the origins of medical device hacking concerns, citing the notable case of former Vice President Dick Cheney in 2007. Cheney was so concerned about the wireless capabilities of his pacemaker that he had them disabled for fear of an assassination attempt. This fear was later validated by security researcher Barnaby Jack, who proved it was possible to remotely hack a pacemaker and deliver a fatal shock. The hosts further detail Jack's influential 2011 Black Hat demonstration where he successfully hacked an insulin pump, forcing it to dispense a lethal dose of insulin from a distance. This and similar vulnerabilities found in Johnson & Johnson insulin pumps and Smith Medical's drug infusion pumps highlighted the life-threatening potential of insecure medical devices, many of which use wireless protocols like Bluetooth that can be exploited from farther away than commonly believed. The discussion then transitions to the current state of medical device cybersecurity. The hosts acknowledge the industry's progress, driven significantly by new, more stringent guidance from the FDA released in 2023. This guidance mandates a 'secure by design' approach for new devices, requiring manufacturers to implement robust security controls throughout the entire product lifecycle, from initial requirements and design to post-market surveillance and disposal. A key component of this modern approach is transparency, particularly through the use of a Software Bill of Materials (SBOM), which lists all software components within a device. This allows healthcare providers and security professionals to better understand and manage potential risks. However, the hosts emphasize that a massive challenge remains: the prevalence of legacy devices. There are millions of older medical devices still in the field that were designed and deployed before these security standards existed, leaving them vulnerable and creating difficult dilemmas for patients who must weigh the risk of a cyberattack against the risk of undergoing surgery to replace a recalled device. Looking ahead, the podcast delves into the future of medical device threats, focusing on emerging technologies like autonomous surgical robots and Artificial Intelligence (AI). While today's surgical robots are operated by surgeons, the future promises fully autonomous systems that could perform surgeries without direct human control. A cyberattack on such a device could be catastrophic, with no human operator to intervene in a malfunction. The hosts also discuss the dual role of AI in cybersecurity. While AI tools are being developed to help defenders analyze threats and automate security responses, malicious actors are also harnessing AI to craft more sophisticated and automated attacks. This sets the stage for a future where the cybersecurity landscape becomes an ongoing battle of AI versus AI, with medical device security at the heart of this evolving conflict.

Key takeaways from this episode

Early warnings about medical device vulnerabilities appeared as early as 2007, with concerns over the potential for hacking implantable devices like pacemakers for malicious purposes.
Critical medical devices, including insulin pumps and pacemakers, have been proven to be hackable, with demonstrations showing that attackers can remotely manipulate them to cause fatal harm.
Wireless connectivity, such as Bluetooth, is a primary attack vector for medical devices, and its range can be extended with specialized equipment, nullifying proximity-based security assumptions.
Regulatory bodies like the FDA are now mandating stricter cybersecurity measures for new medical devices, emphasizing a 'secure by design' approach and transparency through Software Bills of Materials (SBOMs).
A significant challenge in the industry is securing millions of legacy medical devices still in use that were manufactured before modern cybersecurity standards were implemented.
The future of medical device threats includes risks associated with advanced technologies like autonomous surgical robots, where a cyber compromise could have direct and fatal consequences without human intervention.
Artificial Intelligence (AI) is a double-edged sword in cybersecurity; while it offers powerful defensive tools, it is also being leveraged by attackers to create more sophisticated threats.
Patients with vulnerable legacy devices, such as recalled pacemakers, face a difficult choice between living with a known cyber risk and undergoing a potentially dangerous surgical procedure to replace the device.

Full episode transcript

Christian: Yeah, so in this episode, we're going to cover the evolution of medical device cyber threats, some of the past, the present and the future. Christian: So let's start off with the past. You want to start off a little bit, Trevor, some of the history of medical devices and cybersecurity attacks against them? Trevor: Yeah, so, what I, one thing that is sort of a early on device attack that has seen a little bit of coverage was actually some concerns that Dick Cheney had around 2007, relating his pacemaker. Trevor: So he had a lot of concerns that there could be an assassination attempt against him since his pacemaker had a wireless connectivity feature. And he was very concerned that someone could hack into it and try to kill him. Um, interestingly enough, there was a security researcher who was able to prove that his concerns were founded. They were able to take pacemakers and as a proof of concept, effectively change the functionality and assassinate someone with a pacemaker. So, it was, that was one of the original, kind of notable events in 2007 where medical device cybersecurity was really coming into, coming into play. Christian: Yeah, and that's like 17 years ago. This is pretty amazing. I think a lot of people don't realize implantables such as pacemakers have wireless functionality, and it's typically Bluetooth, because they occasionally need a firmware update. So you have to, you don't want to take it out of the patient every time you want to update it. So you do it with Bluetooth. And often data is read off of that device, such as diagnostic data or data about the patient. So that's why it has some sort of wireless capability. Christian: And then, we've also got hacks with the mysterious guy, Barnaby Jack, kind of a funny name, that he hacked an insulin pump, and was able to deliver the maximum dose of insulin over and over and over and cause somebody to die. He didn't do it on a real patient, but he did a demonstration at Black Hat, and this was in 2011. So only four years later. And these insulin pumps, what he was able to do was use a high-power antenna and connect to an insulin pump from a far distance and manipulate it that way. Trevor: Yeah, and then Barnaby Jack was the same guy who actually was discovering that pacemaker attack and was able to do the proof of concept as well, isn't that correct? Christian: He, yeah, he heard about the threat to Dick Cheney, from my understanding, and wanted to validate that that was a legitimate threat, and he proved he could do it. He proved he could connect to a pacemaker and shock somebody over and over and over. Uh, and he, you know, he likes to use these high-power antennas so he could do it from a a distance. A lot of people think Bluetooth is you have to be super close, but I've heard people sniffing and connecting to Bluetooth devices like a mile away if you have a high-power antenna. Trevor: Oh, that's really interesting. Yeah, I know that a lot of times we'll see uh proximity as a security control around Bluetooth. Someone will say, well, there's not really much likelihood of exploitation just due to the fact that Bluetooth is such a close-range communication. But that's not always the case. And, yeah, with specialized equipment, you can attack it from pretty far away. Christian: Yeah, there's a thing called a blue sniper rifle that is designed to connect to Bluetooth a mile away. It's a very directional antenna. It looks like a an actual rifle. You probably shouldn't walk around with it in downtown Phoenix or anything, but, you know, or New York specifically, California. But yeah, this guy did this research, was able to sniff Bluetooth from a mile away and connect to Bluetooth devices. So, yeah, proximity is not always a good defense, especially with wireless. We like to use it as a defense, but it's not really, not unless you have a Faraday cage or something. Trevor: Yeah, I think Arizona is probably the only place where you can walk around in a major city with a rifle and nobody's going to ask you any questions. Christian: Yeah, that's why I switched it to California or New York because I I was thinking, if I walked around with my rifle or even my shotgun, probably nobody's going to say anything. Because I've seen people in liquor stores with like a a gun in their holster. Uh, and I think, man, this is kind of interesting. This guy's in a liquor store, he might have been drinking, and he's got a gun like in a holster, um, you know, outside his waistband carry as a, you know, not concealed carry but open carry. So it's kind of interesting.

1 / 4