CYBER-CRIMES OF THE MEDICAL WORLD
Sixty-six-year-old Anup Jalota’s headline-making affair with a 28-year-old Jasleen Matharu might have been a dupery stage-managed to have viewers hooked to “ Big Boss 12”. But what do you think when an everyday 80-year-old wealthy man weds a drop-dead gorgeous 22-year-old girl? Is it not plain as pikestaff that the ravishing girl is with the oldie for his money ? And if that pretty 22-year-old, turns out to be a covetous consort, who is in a big hurry to inherit the old man’s wealth – the mission of snuffing his life out and making his celestial discharge look every inch a natural death would turn out to be as easy as eating a pie for the cute young girl – If the wealthy oldie, like the most 80-year-olds of his ilk happens to have either an implanted pacemaker or an insulin pump . All that the charming young girl would need to do is to remotely hack into his pacemaker and induce a heart attack or wirelessly tweak his insulin pump to deliver a lethal dose of insulin sending him into a hypoglycemic shock.
If such a situation were to arise today, there are not many forensic scientists or post-mortem doctors capable of conducting a medical-cyber investigation to establish and prove, the aforesaid scenario to be a case of murder. That’s because the proof of sabotage of medical implant might not exist in the dead man’s body, but it could exist several miles away and several oceans across on some remote server. On top of that, as on date, there is only one forensic specialist in the world attached to Interpol, who is conversant with medical device criminal acts.
Quite interestingly, the former United States vice-president Dick Cheney had a device implanted to regulate his heartbeat in 2007, but he had his doctors disable its wireless capabilities when he became aware and fearful of being assassinated by terrorists who he thought could exterminate him by sending an electronic shock to his implanted heart defibrillator. He, therefore, had his doctors replace the existing device with a new device that lacked Wi-Fi capability.
To boot this, the US Department of Homeland Security (DHS) is currently investigating more than 20 medical devices which could be tampered with by outside agencies. Besides pacemakers, they include defibrillators, bedside intravenous fluid pumps, scanners and hospital networks.
Furthermore, the biomedical engineers at Stanford University have created a wireless battery-less robotic device so small that it can swim through the bloodstream, performing diagnostics and even microsurgery. The possibility of hackers being able to manipulate these robots to make them attack healthy tissue and make them dump drugs into the bloodstream when not needed could be a real threat.
The astounding ability of terrorists to hack into electronic implants like pacemakers to kill targets, was explicitly depicted in the Emmy award-winning TV show ‘Homeland’ in its tenth episode titled “Broken Hearts” where terrorists surreptitiously retrieve the unique serial numbers that correspond to Vice President Walden’s implanted pacemaker and assassinate him by wirelessly accelerating his heartbeat and inducing a heart attack. In the future, we could also have extortion attempts against medical devices. For example, a hacker could call in and inform the patient – “You have sixty minutes to transfer 10 Bitcoins to a particular account failing which an 830-volt shock would get delivered to your heart.”
Shockingly, Barnaby Jack, the erstwhile director of embedded device security for computer security firm IOActive, not only developed a software but also gave a live demo in Black Hat Conference in Las Vegas in 2011, in which he demonstrated that he could remotely send an electric shock to anyone wearing a pacemaker within a 50-foot radius. He also proved that he had a system that scanned for any insulin pumps that communicated wirelessly within 300 feet, furloughing one to hack into them without requiring to know the identification numbers and then control them, to either discharge less or more insulin than necessary, sending patients into hypoglycemic shock quickly if excessive insulin was dispensed or into ketoacidosis if not enough insulin was dispensed over a period of time.
Medical implants are not something new, they have been around for decades, but only recently they have become increasingly accessible over wireless networks. The first Wi-Fi pacemaker in the United States was implanted in the chest of Carol Kasyjanski of Roslyn, New York, in 2009, and when the surgery was complete, her beating heart became the first heart to join the Internet of Things.
Millions of people today are depending on these fantastic technologies to stay alive. These implants communicate with the outside world via familiar radio-frequency protocols such as Bluetooth, Wi-Fi, RFID etc. These devices have become widespread in modern medicine given their shrinking sizes, their growing capabilities, and the manifest clinical benefits they provide. Wireless medical devices, such as the implantable cardioverter-defibrillators (ICDs), allow physicians to remotely monitor heartbeats and EKGs in real time, greatly reducing the need for expensive hospital visits. Should a problem be detected by the ICD, doctors can immediately contact their patients and notify them to come in for treatment.
The vast lifesaving potential of these advances cannot be overstated, but as we increasingly integrate information technology with our own biology, more and more people are joining the cyborg nation-with significant implications for their safety, privacy, and security. Unlike regular electronic devices that can be loaded with new updates, medical implants inside the human body require surgery for “full” updates. Restricted battery power availability is one of the greatest impediments for appending accessorial security features.
Nowadays medical implants in excess of fifty per cent have embedded software. A small error in software code, for instance, could mean the difference between delivering 20 ml versus a 200 ml concoction to a patient which could be deadly. The New York Times reported in 2010 that about 710 deaths were caused either because the hospital software malfunctioned or because a hospital staff typed in erroneous dosage data into a pump. There have been at least 500 deaths and more than 56000 detrimental events because of issues with the user interface and infusion pumps.
As medication timing for patients is now being controlled by software, there can be critical errors because of mistakes in an entry. Under-dosing, overdosing and in some cases, death has resulted due to failure on the part of authorities to adequately specify and test hardware and software. Similar problems also seem to exist with CT scanners and similar systems.
An investigation by FDA revealed that more than 300 patients in 4 hospitals were over-radiated by powerful CT scans used to detect strokes. The overdoses were first discovered at Cedars-Sinai Medical Center in Los Angeles, where patients received up to eight times as much radiation as intended. The errors occurred over 18 months and were detected only after patients lost their hair. A wide variety of therapeutic devices such as MRI, X-ray, and anaesthesia machines, IV pumps, CT scanners, and ventilators have been riddled with computer viruses and remotely found to be hackable.
Recently, Medtronic a medical implant company resolved a cloud vulnerability, in which an attacker could remotely access and modify patients’ pacemaker data. And their disclosures are found documented in Department of Homeland Security industrial control system advisories.
Detection of such vulnerabilities led to recall of almost half a million pacemakers by the US Food and Drug Administration (FDA) due to fears that their frumpish cybersecurity could be hacked to run the batteries down or even alter the patient’s heartbeat. The recall doesn’t mean that the implanted pacemakers were fished out, which would have meant an invasive surgery for the 465,000 people who had them implanted: instead, the manufacturer sent a security update which was used to patch the security holes. Six types of pacemakers, all made by health tech firm Abbott and sold under the St Jude Medical brand, have been affected by the recall. They are all radio-controlled implantable cardiac pacemakers, typically fitted to patients with slow or irregular heartbeats, as well as those recovering from heart failure.
Leaving aside cyber-security, a most interesting phenomenon has been found to occur whenever medical doctors go on strike, quite surprisingly the death rates go down! In 1976 in Bogota, Columbia medical doctors went on strike for 52 days, with only emergency care available. The death rate dropped by 35%. In 1976 in Los Angeles County a similar doctors’ strike resulted in an 18% drop in mortality. As soon as the strike was over, the death rate went back to normal. A 50% decrease in mortality occurred in Israel in 1973 when there was a one month doctor’s strike!
I was further flummoxed to know that doctors themselves are the most common cause of disease. The medical term coined to describe this problem is an iatrogenic disease. Hospitals are supposedly a hotbed of iatrogenic disease. A study in the Southern Medical Journal reported that one in five patients admitted to a university hospital acquires an iatrogenic disease, and one in thirty of these lead to death. Of these iatrogenic deaths, half are complications of drug therapy and 10% result from improper diagnostic procedures. Another study of 815 consecutive patients in a university hospital over an eight-month period found that 36% had a disease caused by their doctor, and 2% of all hospital patients died from an iatrogenic disease, which means 700,000 hospital/doctor-caused deaths per year which would account for one-third of all deaths.
In the last analysis, a hacker is someone who breaks into computer systems or medical implants. Just as how the medical devices and our computers can be hacked, in a similar manner our souls can be hacked by temptations, evils, greed, lust, sins etc but like the computer, it’s possible to reset it to default settings through spiritual hacks such as contemplation, meditation and a positive mental attitude.
Source from: epaper/deccanchronicle/chennai/dt:17.12.2018
Dr.K. Jayanth Murali is an IPS Officer belonging to 1991 batch. He is borne on Tamil Nadu cadre. He lives with his family in Chennai, India. He is currently serving the Government of Tamil Nadu as Additional Director General of Police, DVAC.
