EMBODIED VULNERABILITIES: COMPROMISING MEDICAL IMPLANTS presented at First 2017

by Eireann Leverett, Marie Moe,

Summary : This talk will be about medical device security and privacy, in particular for connected medical devices like implanted cardiac devices with remote monitoring functionality.
Gradually we are all becoming more and more dependent on machines. We will be able to live longer with an increased quality of life due to medical devices and sensors integrated into our bodies. However, our dependence on technology grows faster than our ability to secure it, and a security failure of a medical device may cause patient harm and have fatal consequences.
Medical errors are estimated to be the third leading cause of death in the US, according to a recent study published by BMJ (http://www.bmj.com/content/353/bmj.i2139). Medical errors are often associated with human errors, but patient safety is also threatened by security failures of medical devices. Loss of availability or integrity of patient data may indirectly cause patient harm, due to wrong diagnosis or treatment decisions based on incorrect data. However, there are no good statistics on the number of deaths caused by medical device security failures. Medical devices are collecting personal data on a big scale without any transparency on how the data is collected and how the information security and privacy of patient information is ensured by the medical device manufacturers. Additionally, patients are in many cases deprived from access to their own data generated by sensors and devices implanted in their body. The medical devices appear as “black boxes” with little information about their data collection capabilities and implementation of security and privacy features.
Marie's life depends on the functioning of a medical device, a pacemaker that generates each and every beat of her heart. This talk is about Marie's personal experience with being the host of a vulnerable medical implant, and why she decided to start a hacking project together with Éireann Leverett, investigating the security of her own personal critical infrastructure. Marie and Éireann will give a status update on their work in progress, including the lessons (not) learned, and comment on the recent advances seen in the field of medical device security, also with regards to ethical and legal aspects.