Imagine a pacemaker that your doctor can configure wirelessly, and which can be monitored remotely. It sounds like a medical breakthrough. What could go wrong? As with anything related to IoT – a lot, as it happens. Medical devices are being connected to the Internet of Things in ways never previously imagined, and the very things that might save lives now also might take them. While assassinations via remote controlled pacemaker are still the stuff of fiction, it’s conceivable that other attacks could modify or damage an IoT-enabled medical device, or compromise the privacy of the patient.
Security researcher Maria Moe was astonished to learn that her new pacemaker had wireless capabilities. In looking for information about the threat landscape of medical devices, she turned to the work of Dr. Kevin Fu, who essentially created the field of medical device security, and is the director of Archimedes Center for Medical Device Security.
Dr. Fu and other researchers have outlined some of the fundamental design and implementation challenges for medical device security. How do you update the software of a device that has been surgically implanted? How do you protect the communication channels between the device and a monitoring station? How can you be sure that data is secured, but can be accessed in emergency situations? These issues are only the tip of the iceberg in field of medical device security.
Even beyond the these basic questions about IoT-enabled medical devices, the policy and laws governing medical device safety have struggled to keep up with burgeoning technology. The regulatory landscape will likely be radically altered over the next few decades, as new disruptive technologies appear on the horizon. Between the risks of accidental damage due to a computer virus, potential abuse by a malicious actor bent on causing harm, and the risks that health data is breached, IoT medical devices – and the regulations and standards that govern them – have a long way to go.