John Graham is an assistant vice president and senior technology specialist with the Chubb Group of Insurance Companies.
At the August Black Hat security conference, an attendee, Jay Radcliffe, demonstrated how he could wirelessly hack into his own insulin pump and increase or decrease the dosage or shut it off entirely. Given the rate at which technology progresses, will we soon be reading headlines about how hackers are committing attacks against people with pacemakers? Or maybe they’ll be extorting money by threatening to shut down someone’s implanted device? In the near future there’s a good chance there will be more medical devices that can be accessed wirelessly than currently exist today. Radcliffe’s demonstration has already prompted two Congressmen to urge the Government Accountability Office to investigate security concerns around wireless medical devices.
The growing use of wireless medical devices also raises another issue: privacy. Radcliffe noted that an unencrypted data stream facilitated his experiment. As wireless medical devices become more numerous and are called upon to provide more functions what will be the risk to an individual’s medical information? Will some devices actually hold enough health information to be able to personally identify the patient? What will be the liability to your company if you manufacture the software that runs the device or the medical device itself?
Security needs to be an integral part of any software development lifecycle but perhaps more so when the software is integrated into a wireless medical device.
- John Graham