The infusion pump is partly dismantled on the desk and one of its circuit boards lies next to it. Probing the unit for weaknesses and coming up with a protocol to test other medical devices like pacemakers could point to a way to make them safer from hacking and cyberattacks, an Augusta University researcher says.
In this case, the hacker is Dr. Michael Nowatkowski, associate professor at the AU Cyber Institute, program director for Cyber Sciences and a senior research fellow with the Army Cyber Institute at West Point. The problem with many medical devices like the infusion pump is that when they were designed years ago, security really wasn’t an issue, he said.
“They were originally designed to be standalone devices and not connected to anything,” Nowatkowski said. “Most of these were originally designed not to connect to the Internet, so the security was in the physical security. You weren’t going to have people walking into patient rooms and messing with the pumps. But now that we’ve connected them to networks, people can do that remotely.”
As health care facilities moved toward monitoring at nursing or central monitoring stations, the devices were connected to networks either by wire or wirelessly – and sometimes without seemingly a great deal of forethought. Nowatkowski held up the circuit board where a wireless USB port has been soldered into the side.
“It makes for great productivity, the ability for a few people to efficiently monitor many devices versus someone having to go and check them all manually,” he said. “But it does increase the vulnerabilities or the risk of operating these.”
With wireless monitoring, for instance, depending on the signal strength, someone could be up to 300 feet away and still intercept it.
“There is a potential that you could even be sitting in the parking lot trying to pick up on the signals,” Nowatkowski said.
Then there are the vulnerabilities that are built into the machines themselves. Nowatkowski picked the infusion pump because there are six known vulnerabilities with these machines. For instance, the default password is stored in the machine itself, and there is no separate authentication process for changing the dosage-limiting database, he said. And that could present a serious problem.
“Say for a potentially lethal drug, morphine, if the database was written to allow three times the dosage, it could be potentially fatal,” Nowatkowski said. Someone could do that maliciously, or someone just hacking the machine to see whether it can be done could accidentally change settings, he said.
Because those vulnerabilities are already known, Nowatkowski is planning to use standard tools available for what is kindly known as “reverse-engineering” to validate what tools and processes can be used to find those vulnerabilities in a systematic way.
“Then what we’ll do is we’ll look at other devices that have not yet been researched and use those same techniques and procedures and use the same tools to see if we can discover similar vulnerabilities on those other devices,” he said. Nowatkowski is particularly interested in medical devices such as insulin pumps and pacemakers that might be active in a home environment.
“We’re interested in the interactions between the device and the patient’s home network,” he said. “One of the things that we’re interested in is the communications that go into the device and the communications that leave the device to see if there is any personally identifiable information that potentially gets sent out unencrypted over the Internet, any kind of health data that might get sent out. And also to see if there are ways from the outside that a potential hacker could influence the behavior of the device.”
While that might alarm patients, Nowatkowski said it is still almost impossible for someone to take control of their medical device remotely.
“The chance of something like that happening I would think is highly unlikely,” he said. “You’re much safer and you’re going to be much healthier with the device than you would without the device because you are afraid that someone would hack into it.”
Manufacturers are becoming more aware of those possibilities, however, and are starting to look at ways to make them less vulnerable. The same things that apply to medical devices could also be used to secure industrial systems and smart home devices, such as televisions and refrigerators connected to the internet – – often called the Internet of Things.
The long-range goal of the AU research is to try and give our students information on how to securely design these devices, Nowatkowski said. “Really where we’re trying to get with this is to develop a list of secure design principles for not just medical devices but looking at transferring those over to the Internet of Things devices and industrial control system devices.”
Reach Tom Corwin at (706) 823-3213 or firstname.lastname@example.org