Doctors disabled wireless in Dick Cheney’s pacemaker to thwart hacking

library
crime | hacking | security

Former US Vice President Dick Cheney’s doctors disabled his pacemaker’s wireless capabilities to thwart possible assassination attempts, he said in an interview with CBS’s “60 Minutes” that aired on Sunday.

Cheney’s heart problems were bad: between 1978 and 2010, he suffered five heart attacks, underwent quadruple bypass surgery, and had a pump implanted directly to his heart. A defibrillator was implanted to regulate his heartbeat in 2007.

Cheney told his 60 Minutes interviewer, CNN Chief Medical Correspondent Dr. Sanjay Gupta, that at the time of the pacemaker implant, he was concerned about reports that attackers could hack the devices and kill their owners:

“I was aware of the danger, if you will, that existed.”

The TV show “Homeland” wasn’t even on the air yet, but a pacemaker assassination attempt was depicted at the end of last season.

Cheney found the assassination plot all too realistic, he said:

“I found [the depiction] credible because I knew from the experience that we had assessing the need for my own device that it was an accurate portrayal of what was possible.”

Cheney’s concerns were based on reality.

A year ago, the US Government Accountability Office (GAO), prodded by Congress, took the Food and Drug Administration (FDA) to task for ignoring the possibility that medical devices are susceptible to malware, unauthorized access and denial of service.

As the GAO’s report stated at the time, researchers had demonstrated the potential for incidents resulting from intentional threats in insulin pumps and implantable cardioverter defibrillators.

One example is the work done by the late Barnaby Jack.

In October 2011, Jack succeeded in overriding an insulin pump’s radio control and its vibrating alert safety feature, demonstrating the dumping of a potentially lethal dose of insulin without the pump alerting a wearer.

The FDA in June complied with the GAO’s marching orders, telling medical device makers and hospitals to strengthen security to prevent an intentional version of such hacking, unencrypted data transfer that can be manipulated or a host of other threat vectors.

Center for Internet Security President and CEO William F. Pelgrin told me that to date, there haven’t been any documented cases of successful attacks on mobile medical devices (other than those demonstrated in a research environment).

Nonetheless, he said, “the risk is real. Unsecured wireless devices are vulnerable to attack.”

Cheney’s revelation highlights the importance of protecting the devices, Pelgrin said.

In fact, these types of potential scenarios prompted the Center for Internet Security to launch a mobile medical device benchmark initiative earlier this year to develop solutions.

The resulting benchmarks will be recommended guidance for device makers, he said, focused on the detailed, step-by-step guidance of hardening a given device.

I asked Pelgrin why the effort to harden the devices has taken so long, and he remarked that the Center is actually getting ahead of the curve in proactively addressing these complex issues now, before a catastrophic event takes place.

Compare that with the auto or airline industries, for example, he said: in either industry, many accidents had to occur before changes were made to improve safety.

The changes certainly didn’t happen overnight, Pelgrin said:

What’s so encouraging to me in terms of mobile medical device security is that we are on the cusp of tremendous positive change, and we are doing it before accidents happen.

Besides, he said, when you’re dealing with mobile medical devices, availability is crucial. It’s one thing to hack a computer and knock it offline. That’s disruptive, but not necessarily fatal, he said.

But if a mobile medical device is hacked and unavailable – or altered – it can be “devastating”:

We must approach this process in a careful manner, with the input of many organizations and individuals, in order to develop security solutions without compromising the confidentiality, integrity and availability of the devices.

The Center is encouraging anyone who wants to join in the effort to contact them.

It plans on hosting a working session webinar later this month. To register and find more details, click here.