It’s the stuff of primetime TV drama – terrorists hack into a vice president’s pacemaker and assassinate him with electrical shocks to the heart.
By Gabrielle Fimbres
While the storyline is a work of fiction, the potential for “medjacking” – or malicious medical device hacking – is real.
David G. Armstrong, DPM, MD, PhD, professor, University of Arizona Department of Surgery, is joining forces with the U.S. Department of Homeland Security, the U.S. National Security Council, NASA and other government agencies and industry leaders to create strategies to keep the world safe from medjacking.
A podiatric surgeon and the director of the UA Southern Arizona Limb Salvage Alliance (SALSA), Dr. Armstrong is the lone medical academician on the Cybersecurity Standard for Connected Diabetes Devices Steering Committee, which meets for the first time July 20-21 in Bethesda, Md.
The UA is well represented on the committee, with the inclusion of Hsinchun Chen, PhD, a UA Regents’ Professor and the Thomas R. Brown Chair of Management and Technology in the UA Eller College of Management, who also is director of the UA Artificial Intelligence Lab.
While devices associated with diabetes are the initial focus, Dr. Armstrong said the committee is expected to examine the security of other medical devices. “As connected devices become more pervasive and powerful, the potential for malicious medical device hacking is becoming increasingly real,” Dr. Armstrong said.
Dr. Armstrong pointed out, “Medical devices – insulin pumps, pacemakers, artificial hearts, left ventricular assist devices, artificial pancreas constructs – are susceptible to the same unintentional or intentional and nefarious interruption and invasion as are bank accounts, ATM machines and credit card devices.”
While medjacking currently exists in the imagination and in laboratories, Dr Armstrong said it is only a matter of time before the issue “comes front and center.”
“No one really thinks about these things until there is catastrophic failure,” he said. “These sorts of hacks are definitely feasible, and reasonably clever people without a lot of resources can do some serious damage. We are trying to get out in front of this problem.”
The challenge for the Cybersecurity Standard for Connected Diabetes Devices Steering Committee is to mitigate danger without stifling innovation. Dr. Armstrong said patients must be confident in the safety of their medical devices, and companies must be secure that they are investing millions of dollars in technology that is safe from cyber attack.
The committee will examine how key elements included in embedded systems within devices can make them less susceptible to failure or malicious or unintentional breech.
The committee was formed after Dr. Armstrong, UA cardiologist Marvin J. Slepian, MD, professor of medicine and biomedical engineering and a member of the Sarver Heart Center, BlackBerry Chief Security Officer David N. Kleidermacher, and David Klonoff, MD, a California diabetologist who chairs the Diabetes Technology Society, collaborated on a manuscript, “The Regulation of Wireless Devices for Performance and Assurance in the Age of ‘Medjacking,’” currently under review by medical publications. The manuscript, which proposes setting guidelines for medical device cybersecurity, would be the first in medical literature to use the term “medjacking,” Dr. Armstrong said.
With manuscript in hand, Dr. Klonoff helped establish the Cybersecurity Standard for Connected Diabetes Devices Steering Committee. Members include representatives from Homeland Security, U.S. National Security Council, U.S. Food & Drug Administration, NASA, National Institute of Standards and Technology, National Institutes of Health and the U.S. Department of Defense. Also on the committee are industry leaders from Bayer, BlackBerry, Medtronic and Sanofi, as well as academic engineers and mathematicians.
Dr. Armstrong predicts efforts could inspire collaboration among UA faculty resulting in invention, intellectual property and new businesses. “The greater story is this falls right into the UA’s ‘Never Settle’ strategic plan, wherein clinicians and scientists come together with people from industry and the government to innovate and develop the next generation of technology to help people navigate their world and make life better,” he said.
Discussion has swirled around the concept of medjacking for years. “Since at least 2012 we have been talking about the impending merger of medical devices with consumer electronics,” Dr. Armstrong said. “Even the most advanced medical devices are similar to the things we have in our pockets or in our hands – iPhones, tablets, home computers.”
For that reason, we all have various IP addresses in or on us, which can make us susceptible to cyber attack. “These are all parts of what we call the ‘Internet of Things,’” he said.
The conversation heightened in December 2014, when brothers-in-law Dr. Armstrong and Dave Kleidermacher, the new chief security officer for BlackBerry and one of the world’s top experts in embedded systems security, discussed the issues while walking their dogs over the holidays.
They looped Drs. Slepian and Klonoff into the conversation during that same walk and the collaboration took off.
“We want guidelines in place so we can assure people that their medical devices are safe,” Dr. Armstrong said. “Medjacking will ultimately have its 15 minutes of fame, but we are trying to get out in front of those 15 minutes so we can focus on the promise and not the peril.”