After two years of research and a joint effort between groups of security experts working at separate academic institutions, a professor and a graduate student showed attendees at hacker conferences Black Hat and Defcon how to build a "cheap" $1,000 system to mimic the control mechanism on a pacemaker. The researchers were able to eavesdrop on private data that identified the patient, doctor, diagnosis and the device's instructions. They could also control the device to put it into test mode, to drain the battery or turn off therapies.
But that was 2008.
For the first time at this year's DefCon there was a full track for kids. There was also a talk by computer security expert Jay Radcliffe who explained to attendees how easy it was to hack into an insulin pump. Radcliffe himself is a diabetic and his demonstration was meant to sound the alarm that these devices are not yet secure enough. While most media reports didn't make this clear, Radcliffe did not teach the hackers at DefCon how he took control of a pump -- he used the podium to explain that it was possible. Radcliffe also noted that pace makers, intravenous pumps, and blood pressure cuffs are among the other connected health devices that have been successfully hacked in recent years.
Radcliffe's demonstration worked.
This week Representatives Anna Eshoo (D-CA) and Ed Markey (D-MA) asked the General Accountability Office (GAO) to study the safety, reliability and compatibility of wireless-enabled medical devices and the regulatory bodies that oversee them. Specifically, the letter asked GAO to do five things: Determine to what extent the FCC is identifying the challenges and risks posed by the proliferation of wireless-enabled medical implants and other devices; making the regulatory process for these devices more efficient; ensuring these devices do not cause harmful interference with other equipment; ensuring these devices are safe reliable and secure; and working with the FDA to coordinate these activities.
Given the legislators focus on the FCC, I can't help but think this is follow-up from the American Telemedicine Association's recent public letter, which criticized the FCC for its "great silence" on healthcare issues.
“Despite the promises, the rhetoric and the official criticism, a great silence has settled over the Commission regarding these issues,” ATA President Jonathan Linkous wrote at the time. “Now, we also note the departure of every key professional staff from the Commission involved in healthcare policy. It is deeply troubling to see that the Commission is allotting practically no resources with no apparent plans to address the proposed rulemaking, the approved Broadband Plan or to respond to the GAO report.”
In effect, the members of Congress are asking the GAO to find out if the FCC is actually acting the way the ATA said it was.
Researchers have already proven that wireless-enabled implantable devices improve care. In a landmark 100,000 patient study published in the medical journal Circulation last December, patients whose implanted cardiac device included wireless-enabled tracking faced half (50 percent) the mortality rate than those who only received follow-up care at device clinics.
The FDA and FCC should be ensuring the security and interoperability of these devices as the members of Congress point out, and kudos to concerned patients like Jay Radcliffe for evangelizing the need for greater security in these life critical devices.