The prospect of medical devices getting hacked has the Center for Internet Security and others planning standards that will help secure them.
Former Vice President Dick Cheney recently reported that he had his heart defibrillator's wireless functionality disabled for fear of a hacker killing him via computer -- an unlikely but possible demise for a man with plenty of enemies.
Researchers have hacked into home electricity meters wirelessly, and modern cars can now be remotely overtaken by hackers. Medical devices like pacemakers and insulin pumps also have wireless functionality, yet virtually no security measures in place. Murphy’s Law dictates that it’s only a matter of time before someone with a wireless medical device is killed by a hacker, and there’s now an effort underway to create security standards that would increase the safety of such medical devices.
The Center for Internet Security (CIS) has joined with the National Health Information Sharing and Analysis Center and the Medical Device Innovation, Safety and Security Consortium (MDISS) to develop guidelines to make wireless medical devices as secure as possible, as quickly as possible.
The effort began about six months ago, CIS CEO Will Pelgrin told Government Technology, and he expects a meeting of experts on Nov. 14 will help kickstart development of an initial standard that will hopefully be completed by next year. By first developing a broad standard that applies to the medical device industry as a whole, they can begin to ensure the security of those devices. “The time to talk is over, the time to do is upon us,” Pelgrin said. “We can always improve upon it. So our goal is to get a benchmark out as soon as possible.”
Their approach to development will include a wide, multi-disciplinary approach, he explained. While cybersecurity experts like himself can advise on the technical side of things, they also need input from device manufacturers, and from the health-care provider world. “We do this through a consensus approach,” he said, adding that wireless medical devices provide a great service that can improve people's quality of life, and they therefore need to be protected.
Pelgrin said he’s long been interested in control systems, so medical devices were naturally an attractive subject to approach. “When you think of mobile medical devices, there are many control systems and you can’t get any more personal than a device that’s implanted into yourself,” he said. When those technologies were first developed, they didn’t have wireless capabilities and the developers of those devices used a more clinical approach. But now that the devices span multiple worlds like technology, medicine and health care, there are new things to consider.
After a “low hanging fruit benchmark” is identified that can apply to a wide array of devices, then they will work on developing more standards for individual devices as needed. For now, the goal is to get something in place that can be built upon.
The first standards will focus on insulin infusion pump technologies, according to a CIS press release.