• In Cyber Security, Risk Mitigation Is the Heart of the Matter

    October 23rd, 2013
Cyber security is a matter of the heart. At least it is if you're former Vice President Dick Cheney.

In a segment to air Sunday on 60 Minutes, Cheney said he had the wireless functionality of his Implantable Cardioverter Defibrillator (ICD) disabled for security purposes. Given Cheney’s disclosure and the easy connection to the fictional death-by-device-hacking of William Walden, the vice president in the popular Showtime series Homeland and something of a "funhouse mirror" version of recent vice presidents, whether such a move was necessary became a trending topic among cyber security and medical professionals.

Is it possible, numerous posts, tweets and interviews asked,  to cause someone's death by hacking an implanted medical device?

While the specific answer is interesting, the lesson about the role of cyber security is all the more important.

Like any form of security, cyber security isn’t an absolute.

In physical security, there is no bank vault that can hold back a robber, given endless time and resources, or no military installation that can’t be overrun given the same limitless help. In the cyber world, like the physical world, everything has a risk.

So, too, is cyber security. The purpose of effective cyber security is to utilize defense in depth to identify and greatly mitigate risk, while still allowing beneficial functionality of the device being secured.

Exclusion of all risk simply isn't possible, but risk tolerance must be very, very low. 

Consider the specific case of the former Vice President.

The risk itself, from my vantage point, is exceptionally low. (As a proviso, NJVC is not a medical device manufacturer. See articles like this one or this one for industry perspective.)

As background, Cheney’s device, an ICD, is similar to the more familiar pacemaker in that it is a small, battery-powered generator implanted in patients at risk for sudden cardiac arrest. It can correct arrhythmia with low pulses of electricity, or act as a defibrillator with high-voltage pulses.  (Pacemakers, meanwhile, only "pace" the heart, giving out low pulses of electricity  and cannot deliver a lethal, high-voltage shock. For more on ICDs and pacemakers, click here for more information from NIH.

ICDs have been around since 1980, but it was not until 2007 that the FDA approved wireless functionality. Previously, all device monitoring and setting was done in office via near-field induction, which required physical skin contact. The introduction of wireless transmitting allowed doctors to monitor patients remotely, improving patient outcomes through more frequent observation, while providing a convenience for patients who no longer had to visit their doctor as often.

However, given that the device is designed to deliver a shock to the heart and, as of 2007, has a wireless capability, what is the risk of an ICD being hacked and an adversary using the intended function in a nefarious manner?

Cyber security, again, is about risk identification and reduction. Do risks exist here? Certainly, but many safeguards by device manufacturers and other real-world factors greatly reduce these risks.

First, no electronic device other than a physician programming unit can alter an ICD setting. So, unlike as implied in Homeland, no one can simply hack into your pacemaker through a remote, far-away Internet connection or walk around with any handheld device and connect to your ICD like it's an unsecured wireless printer. 

Secondly, the wireless reporting capability is transmit only, not receive, meaning you cannot remotely change the device settings from an Internet connection. Monitoring occurs through a bedside box, which transmits data to a secure Website. Intercepting that data by conducting a man-in-the-middle attack is certainly possible, but interpreting the data typically requires a trained medical professional and poses no threat to the patient. 

Another proposed threat vector, introduction of a magnetic field, may interrupt the ICD's monitoring function and perhaps trigger a low-energy therapy shock, but this level of activity will not be felt by the patient, according to the American Heart Association.  

Where the danger to a patient lies, is if a threat actor could change the device settings or trigger a high-voltage shock.

Here, too, safeguards are built in.

Device settings can only be administered by a telemetry wand placed directly over the device to establish communication. Once this physical" handshake," which requires proximity and information like device model and serial number,  is completed between wand and ICD, remote communication is enabled and then device settings can be altered. This handshake step and the proximity it requires is what renders many fictional portrayals inaccurate. 

Proximity is the biggest challenge. ICDs use a dedicated range of frequencies designed for medical devices called the MICS (Medical Implant Communications Service) frequency band (a very narrow range between 402 and 405 MHz) that helps to prevent interference from other electrical signals. It is designed as a very low bandwidth, bi-directional communication channel and utilizes very little power—hence the weak signal. (There also exist 10 channels to avoid interference, requiring additional information to connect.). Without a signal replicator, effective range is two – three meters (and perhaps up to 50 feet, according to one expert.)

From a risk standpoint, once an adversary is that close, there are many other simpler methods in which to inflict harm to the intended target. Why orchestrate a complicated device hacking scheme, which requires close, prolonged access to the target, the wand, knowledge of the ICD including model and serial number, and knowledge of the communication protocol between device and other real-world factors, when simpler methods are available? 

Is it a sufficient threat worth creating a level of defense which might conflict with the very valuable medical purposes of the device in the first place?

The most chilling scenario is always the completely remote case—where the villain hacks a communication channel and takes out a victim as easily as ordering online merchandise. That scenario, however, is not possible and certainly presents less of a risk than, say, requiring patients to undergo surgery every time a device needs to be checked. As technology continues to change, new vulnerabilities may be opened up, which means that vigilance is always warranted.

So was the former Vice President justified in disabling the remote wireless function of his ICD? For a person of his importance and symbolism, imposing extra security controls may represent a reasonable action in the face of a low likelihood threat.

But what is more important than the specific answer here is the lesson.

Cyber security is always about risk identification and mitigation. The answer of how much cyber security is necessary is a question of how much risk is acceptable for the beneficial functionality. Do the immense benefits outweigh the risks? Can the risks effectivley be mitigated through defense in depth?

That question, of course, is the heart of the matter, ICDs and otherwise.