Scores of medical devices that are currently in use have never been assessed by security researchers, so to build an understanding of security flaws, organizers of the BioHacking village at DefCon built a mock hospital equipped with "both new and older devices for hackers to tear apart," Lily Newman writes for WIRED.
Many medical devices have never been evaluated for security
Health care settings are filled with sensitive health care data, stored in sensors, scanners, monitors, and medical devices, such as pacemakers and insulin pumps. Many of these devices connect to larger, data-sharing networks, leaving patient information vulnerable to hacks, Newman writes.
While medical device security has improved greatly over the past decade, patients are still using hundreds of thousands, or possibly millions, of older devices that are not in line with best practices for security, Newman reports. Put another way, independent security researcher Adrian Sanabria noted that there are many medical devices available or being used today that have not been evaluated by security researchers.
Nina Alli, executive director of the BioHacking Village and a health care security researcher, said, "Medicine feels like one of the last industries to adopt technology in a secure, controllable way."
The hacking hospital
The new research being done at DefCon is possible thanks to a recent regulatory change. In 2016, medical devices were granted a Digital Millennium Copyright exemption to allow security researchers to legally hack the devices for research purposes.
Because of that change the DefCon hacking conference this year, is providing an immersive space for security researchers to examine medical technologies in its BioHacking Village, which opened this Thursday.
The BioHacking Village houses a hacking hospital, called the Medical Device Village, complete with hospital rooms, as well as a radiology department, pharmacy, laboratory, and intensive care unit. The "2,600-square-foot immersive hospital set" is stocked with newer and older versions of actual medical devices for researchers to hack, according to Beau Woods, a cybersafety innovation fellow at the Atlantic Council and an organizer of the village.
In addition to the mock hospital, this year's version of the Medical Device Village includes more hands-on hacking, particularly on lower-profile medical devices, according to Alli. Representatives from 10 medical device makers, including Medtronic and Philips Health, will also attend the conference to provide industry insight into the devices.
"We really wanted to immerse people in this environment and show them just how many devices there are to evaluate," Woods said. "But at the same time, we want to convey that it's not actually about the devices, it’s about patients—considering the context, considering the consequences."
The future of medical hacking
The organizers of the conference hope the Medical Device Village will make researchers and device manufacturers more interested in medical hacking by exposing them to the resources that are available to prevent security issues, according Sanabria.
For their part, device makers seem more interested in the information available at DefCon than they have in the past, according to Ali.
"[F]or a long time medical device manufacturers wouldn't come to DefCon," Alli said. "But they've become more open to working with researchers."
Alli said she's hopeful this is a good first step to bigger change in the device security space. "The whole ecosystem needs to undergo a change," Alli said. "Otherwise people are going to die, because we're being stupid" (Newman, WIRED, 8/6).