In 2008, as Sandler debated whether she could rely on a machine that was closed to her, a team of researchers at MIT became the first to crack an implantable medical device – and they did it without any prior knowledge of the programming. Using a Medtronic defibrillator wrapped in meat to simulate implantation, the team reverse-engineered the device’s communication signals and cracked the code. Once they successfully penetrated the software, they had complete control. They could deliver random shocks, prevent the device from delivering necessary shocks and obtain patient personal data such as the name and social security number stored on the machine. The crack gave the team complete remote access to the device and there were no security measures to stop them. It appeared that obscurity was the only security measure Medtronic had provided. The device didn’t even ask for password verification before handing over control.
Medtronic, often at the center of academic study because of the ubiquity of its devices in the field, dismissed the experiment as a fluke.
"To our knowledge there has not been a single reported incident of such an event in more than 30 years of device telemetry use, which includes millions of implants worldwide," the company said after the study began getting attention.
It was the same response it gave when diabetic IBM security analyst Jay Radcliffe cracked his own insulin pump live on stage in a matter of minutes at a computer security conference in Las Vegas in 2011. Again, the device required no password authentication to determine whether an incoming signal was friend or foe.
"I equate it to automobile security," the pacemaker hack study’s lead researcher, Kevin Fu, told MassDevice. "We are essentially driving around in cars where nobody’s locked the doors. Now is the time to figure out security before the risk becomes a threat."
Knowing that no one had yet infiltrated a medical device did little to comfort Sandler. The med-tech industry only recently began building wireless access into machines; it seemed just a matter of time before some bored miscreant or politically motivated group took aim at a public figure or unlucky passerby.
In March 2008, the same month Fu’s team published its work, nameless assailants attacked an online support forum used by epileptics, embedding flashing color animations that left people with migraines and headaches. By the following Sunday the attack had amplified, leading users to full-page flashing displays that left at least 1 woman in a catatonic state until her 11-year-old son came to her rescue by turning off the screen. It was the 1st known example of a large-scale crack designed to injure people, blurring the lines between digital mayhem and physical danger. Perhaps most disconcerting was the realization that faceless pranksters would band together to injure vulnerable strangers for no discernible reason. While the epileptics were only at risk while in front of their computers, if crackers aim their efforts at implanted medical devices, the victims’ only recourse is to put some distance between themselves and the attacker’s wireless signals. The fact that a medical device hadn’t been maliciously hacked yet didn’t comfort Karen as she continued her research and pushed off making a decision on her own implant.
"Basically, it’s never a problem until it is a problem," Kurt Stammberger, VP of market development at device security company Mocana, told us. "Viruses and hacking on PCs and computers … back in, say, 1994 wasn’t a ‘problem’ either."
It’s still true that there are no reported incidents of crackers attacking medical devices, but the scenario is hardly far-fetched.
"Security is not brain surgery; best practices have been around now for 20 years. It’s just an industry that really hasn’t had to worry about it very much until now. And that’s going to change very quickly," Stammberger said.
While device makers have mostly been silent on the issue of security, they’ve likely been working on it behind closed doors. Medtronic recently engaged the help of software security giant Symantec to help investigate the insulin pump hack that made headlines last year and issued a statement on one of its blogs acknowledging the possibility of a cyber-attack on a medical device.
"We have been increasing our focus on the prevention of tampering with our products," the company wrote, "which is necessary to keep pace with a new and rapidly evolving technology landscape." The med-tech titan is also working with the Dept. of Homeland Security to implement changes, a process that may take years.
Meanwhile, a security expert working for software security company McAfee announced that he successfully cracked an insulin pump and was able to deliver potentially lethal doses of insulin from as far as 300 feet away. Earlier this month he demonstrated the wireless hack on a dummy "pancreas," proving that he could pick up the device’s signal, penetrate its code and tell it to dump its entire insulin reservoir at once in a potentially lethal dose. The antenna he used was specifically designed for the purpose of scanning and hacking medical devices, but someone with skill and intent could produce something similar to sell online, a common practice in cyber crime.
As wireless technology improves and becomes more common among medical devices, the same threat looms for the pain management devices implanted in patients’ brains, the stimulator chips that help activate nerves in paralyzed veterans and the defibrillators that keep cardiac patients alive.
"There’s a worry that these devices, because they’re completely unable to defend themselves, will be taken out by the digital equivalent of a head-cold when they should be able to withstand the bird flu," Stammberger told us.
When Sandler finally decided to get an implanted defibrillator, just months after Fu published his study, she steered clear of the newer machines and chose a Medtronic EnTrust ICD, which has no wireless capability. In July 2010, Sandler published the result of her years of research in a paper entitled "Killed by Code: Software Transparency in Implantable Medical Devices," in which she defended open-source programming as the best route to solid, secure devices for patients. She chided the FDA for its policies and proposed that all source code for medical devices be available for scrutiny, in the interest of public health and corporate responsibility.
Sandler made the rounds to various tech conferences, and still occasionally gives speeches on the importance of open-source software for medical devices. She views her defibrillator as a double-edged sword. On 1 hand, it’s a life-saving device that protects her from sudden cardiac arrest. On the other, it’s a black box she’s not allowed to peer into.
"Most of the time I am so happy that I have a device – when I forget myself, when I run across the street and my heart rate races and I remember that I’m not supposed to do that, I am reassured that I have the device and it probably would kick in," she told us. "Especially in those moments I’m full of gratitude for having this device. At the same time, knowing the source code isn’t published – and therefore not knowing how safe it is – makes me very worried a lot of the time."