Call Carmody Moran today: 01 – 827 2888
Hackable Pacemakers: The next medical device class action suit?
If the Thalidomide compensation and the De Puy hip replacement cases were not already keeping the profession here busy enough, medical injury lawyers may not have to wait much longer for the next ‘super’ class action suit to arrive.
For the moment, however, this is all academic but not if the worst prognostications of this computer security architect come to pass.
On Wednesday, McAfee researcher Barnaby Jack, delivered a startling video presentation at a conference in Melbourne, where he revealed that he could hack the software in pacemakers and defibrillators in such a way that one could maliciously deliver a shock of 830 volts to the heart of a targeted patient.
The alleged devices in question are particular (manufacturer-unspecified) wireless pacemakers and implantable cardioverter-defibrillators (ICDs).
These type of medical devices are part of the new generation of medical technology which allow both monitoring of patients by telemetry and also reprogramming of the devices remotely without surgical intervention. It is the latter feature which has allowed for this apparent vulnerability.
Jack says medical device manufacturers should be held liable for vulnerabilities in their products. “I 100% agree that they should be held liable… removing liability from the manufacturers is ridiculous. It allows them to write shoddy code and have no consequences from it,” he says.
Apparently, there have been 4.6 million of these device types sold in the US alone.
According to the conference report in ComputerWorld, Jack maintains that these unnamed device manufacturers have hitherto failed to encrypt their software properly, leaving potential backdoors open to hackers.
Most of the devices would require fairly close range contact with the the subject to cause harm but increasing radio frequency ranges are coming on stream.
Their report says Barnaby Jack also claims to be working on a ‘product’ called Electric Feel which could randomly sense the proximity of a such a medical device implanted in a person and deliver such a shock.*
*(Sometimes known as black hat defence, it is commonplace for legitimate security professionals to develop, albeit not deploy, potentially pernicious software in order to combat threats and make vulnerabilities known to their existing or potential clients – an effective if not always controversy-free tactic, particularly perhaps in such a case as this where public alarm is least ably borne by the most affected constituency i.e. those with with dodgy hearts!)
This slightly facetious point above notwithstanding, it does underline the difference in emphases of IT, legal and medical professional competences. For example, medical regulatory bodies have expertise in patient efficacy and safety issues but what about computer code? If an IT boffin publicly exposes a provable device security flaw, which is fundamental and has no quick ‘patch’ fix, could emotional pain and suffering damages be sought even if such mooted hacker attacks are yet to materialize?
Apparently at even its most innocuous, private patient data could currently be gleaned from the devices by hackers equipped with the known code exploits. In a society inured to data leaks this would be small potatoes compared to the appalling vista below as according to The Register tech blog;
Jack also warned of a worst-case scenario in which a worm could infect multiple devices, spreading from patient to patient, re-flashing the devices with malicious code as it foes [sic]. This code could be programmed to deliver fatal shocks to patients implanted with vulnerable implants at a scheduled time.
Barnaby Jack says he wants to work with the manufacturers in question to improve security, but doubtless now there will also be a dubious cadre of similarly astute hacker programmers who will relish the prospect of such a tantalizing type of target to cause distress or worse.