Pacemakers Under Attack: When the Internet of Things Gets Sick


We’re now in an era where everything can be and will be connected.  From house appliances that you can remotely control with your smartphone via an app, to implantable medical devices that control your insulin injections, just about every electrical device known to man will soon be wired up to the web.

The Internet of Things will bring about numerous, miraculous benefits, but it won’t be without its dangers. The problem with having all of these devices hooked up to the Internet is that they become vulnerable to cyber attacks.  And we should be extremely worried about this fact.

The US FDA recently issued a warning regarding such threats, stating that it has identified more than 300 medical devices which are at risk of falling to cyber attacks, including insulin pumps, implantable cardioverter defibrillators, anesthesia devices, drug infusion pumps, ventilators, and pacemakers.

“Over the past year, we’ve become increasingly aware of cyber security vulnerabilities in incidents that have been reported to us,” William Maisel, deputy director for science at the FDA’s Center for Devices and Radiological Health, told Reuters.

“Hundreds of medical devices have been affected, involving dozens of manufacturers.”

Cyber security experts and analysts have voiced their concerns regarding this threat in the past, illustrating just how frightening it could be if malicious persons could hack these medical devices, and alter them in some way.  Just imagine, for a second, being able to set a pacemaker to explode, or sabotage an insulin pump so that it fails to release insulin when needed? You’ve got the perfect murder scenario right there… and unfortunately, this scenario is all too real.

The legendary hacker Barnaby Jack was supposed to discus this very threat at this year’s Black Hat convention.  Unfortunately, his time ran out before he was able to share his knowledge on hacking pacemakers and insulin pumps.

According to reports though, we can be certain that Jack had developed software capable of hacking into any pacemaker and remotely sending an 830 volt electric shock through the device from a distance of fifty feet – something that would almost certainly result in instantaneous death.  Jack also found a way to hack into insulin pumps in hospitals to deliver more or less amounts of insulin to patients.  Altering the amount of insulin delivered could easily cause the patient to go into shock, a coma, and maybe even kill them.

The FDA is now calling on medical device manufacturers and health care facilities to take the necessary precautions to prevent this nightmare from turning into reality.  The FDA has yet to confirm if there have been any casualties related to such attacks.

“The FDA is recommending that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack,” the warning said.

To meet these growing concerns, the Center for Internet Security has announced a new initiative to bolster the protection of Internet-connected medical devices from cyber attacks. The CIS has issued a request for information from US medical device manufacturers, inviting their voluntary participation in a project aimed at developing security control guidelines to reduce cyber risks in medical devices.

The guidelines will provide clear recommendations on how medical devices should be securely configured.  The first benchmarks will be focused on insulin infusion pumps, with other benchmarks being developed on an ongoing basis.

The benchmarks are intended to build upon the Food and Drug Administration’s draft “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.”

 “The technological advancements that enable healthcare providers to embed life-saving devices and treat patients remotely are tremendous.  We must do everything we can to protect those devices and the patients who rely on them.  CIS is pleased to lead this collaborative effort to develop implementable security baselines that can help further strengthen defenses against cyber attacks,” said William F. Pelgrin, CIS president and CEO.

The first organizations to join the CIS in this initiative are the National Health Information Sharing and Analysis Center, and the Albany Medical Center.