If Your Medical Device Was Hacked, Just Try to Prove It

Shelby Kobes
Add to favorites

Now that wireless device technology has advanced into the medical field, there could be a whole host of legal and ethical issues around harvesting data off devices to effectively catch and prosecute a hacker in the event of an attack.

For now, the issues that arise in developing a chain of custody for this type of data could allow for hackers to use legal loopholes to disallow evidence.

This should be a cause for concern because new devices are entering the market on a daily basis that incorporate wireless technology, which creates a growing concern about their security. Devices could be compromised, without any reliable proof of who did it.

Common computer-based forensics uses the approach of physically removing the hard drive from a computer to make a bit-for-bit mirror image of the hard drive. The software used to analyze the images is well-developed and robust. And yet the same techniques do not work for wireless devices because of the broad variety of different operating systems and communication networks they support.

It is paramount that medical device companies and hospitals start to look at comprehensive forensic strategies for this area of technology. If attacks started to happen on medical devices, important forensic information would otherwise be lost or handled in a way that would make it hard to use in a court case.

There are many advantages that wireless medical devices can provide for the doctor-patient relationship. The overall effectiveness of medical devices can greatly improve diagnosis by giving doctors a complete picture of the patient’s health. Many of the new devices on the market today will greatly advance the doctors understanding of conditions and direction of treatments. It has led to an explosion of medical devices that incorporate wireless technology.

But the advancement of these technologies has opened the door for a new type of cybercrime.

Plus, the medical device industry has not had the best record when it comes to tracking down how problems with existing technology took place.

The FDA database for Medical & Radiation Emitting Device Recalls found that between 2002 and 2010, there were 537 recalls of medical devices that affected as many as 1.5 million individual devices in the U.S., according to a 2011 analysis by a University of Massachusetts Amherst researcher.

When it comes to external defibrillators, the FDA has found the amount and quality of information in these reports to be highly variable across manufacturers, according to a 2010 report from the agency. The lack of reports indicated a significant proportion of their malfunction failed to contain adequate information about the root cause of the problem, which limited the FDA’s ability to identify, track, and address device safety problems. The situation suggests that these manufacturers may not have conducted appropriate follow-up or appropriate forensics.

The problem is embedded in the lack of forensic protocols and toolkits. Most medical devices go unchecked for cybercrimes or compromised software. The FDA did send warning letters to the manufacturers of these devices and cited some of them for not taking actions to address these issues. This is of little comfort to those who are implanted with wireless medical devices.

The first step of any forensics case is seizure of the device. Seizure of implantable medical devices has many roadblocks that need to be thought out and tested before an incident happens. Most internal medical devices have a substantial power supply, but some attacks on them could intentionally drain the power supply from the device to make it malfunction. The issue with seizure of a medical device becomes more involved with the device’s location, how quickly you could get to the device, and what legal issues are involved.

Implantable medical devices will have to be removed from a patient before forensics can be done. A malfunctioning device will need to be replaced immediately, but there still could be many days of information being collected on the device. There needs to be a procedure for cleaning, long-term data storage, and internal device storage so that hospitals will know how to handle these devices if a forensic need appears in the future.

A potential solution for this problem would be to have some form of removable memory inside the device. When the device is removed from the patient, the hardware could be opened and the memory extracted, allowing it to be stored in an external database. Once the data has been removed, the device could be sterilized. A record of the device’s operation could be easily stored for further analysis in the case of evidence tampering. This would also give medical device companies and researchers a lot of information on the performance of their machines.

As the fields of devices get more complex and more devices have wireless capabilities, the need for a clearly-defined forensic process will become evident. The information that is stored on medical devices could provide a valuable link to what a patient was experiencing just moments before an event happens. Some of the information that these devices contain include heart rate, average heart rate, time and date of the last link, programming changes, voltage and the duration of the episode. This information could give investigators the exact time of death, the exact time of any programming changes, and any increase in stress prior to an event.

Without a defined “chain of custody” for medical devices, I fear all of this data would be worthless in our current court system.

A picture Shelby Kobes took of a pacemaker's electronic innards.
A picture Shelby Kobes took of a pacemaker's electronic innards.