You have to disable your ad blocker to view the Washigton Post, but its a fun story.
So, this has been going on for a long time, but its worth reading if you haven’t before.
LAS VEGAS — Ten of the nation’s top medical device companies will give hundreds of ethical hackers free rein this weekend to poke and prod their pacemakers, drug infusion pumps and other devices — and look for bugs that could hurt people or even end their lives if they’re exploited by criminals.
And the hacks will take place out in the open — in a realistic hospital replica here at the Planet Hollywood Casino that includes hospital rooms, a lab for bloodwork, and neonatal and intensive care units.
“Medical devices are lifesaving and life preserving, but they also can have flaws that could put someone’s life at risk,” Beau Woods, who organized the Medical Device Lab at this year’s Def Con cybersecurity conference, told me. “So, we’re trying to create a safe space to bring security researchers and medical device manufacturers together.”
That marks a massive shift since 2011, when cybersecurity researcher Jay Radcliffe first demonstrated how he could hack his own implantable insulin pump at Def Con’s sister conference Black Hat.
Back then, Radcliffe got fierce blowback from the insulin pump maker Medtronic and from the broader device industry. Most medical device companies viewed hackers who tried to point out digital bugs in their products with a mix of suspicion and hostility — and worried that they were either exaggerating dangers or giving malicious hackers a road map to hurt patients.
Now, the medical device event is among Def Con’s biggest live hacking events. And medical device makers are engaging far more with the hackers than other industries are willing to help similar efforts to test their products at the conference. This year, vendors have submitted 40 medical devices for hackers to test, compared with about 10 last year.
And the U.S. government is on board, too. “In 2011, researchers felt they had no other recourse than getting onstage at Black Hat and doing a live demo of a potential hack to grab the industry’s attention,” Suzanne Schwartz, leader of a Food and Drug Administration division that focuses on medical device cybersecurity, told me. “After that, we really saw the need to bring everyone to the table.”
Since 2011 the FDA has released a series of rules urging device makers to vet their own products for digital vulnerabilities and to have a formal process for dealing with bugs found by outside researchers.
At a conference in January, the FDA urged companies to bring their medical devices to Def Con to face hackers in an effort Schwartz compared to the viral “ice bucket challenge” aimed at funding research to combat ALS disease. The agency also launched a webpage titled “Wehearthackers” where it publicized the companies that agreed to bring their products to Def Con.
“There have been some real growing pains in the process and we wanted the industry to see that FDA really values working together with [cybersecurity] researchers,” Schwartz told me.
Among the device makers that are participating this year is Medtronic, which is bringing a newer generation of its insulin pump for hackers to examine for bugs.
“There’s been a shift, not only at Medtronic, but industrywide,” Erika Winkels, a Medtronic spokeswoman, told me. “Security’s evolved … Medtronic has really made a concerted effort to embrace this community and we recognize the value they bring.”
Def Con’s medical device “village,” as hacking efforts are called at the conference, is also trying to bring in other groups that deal with medical devices.
The medical device company Abbott, which funded the mock hospital built by California Polytechnic State University’s California Cybersecurity Institute, is bringing a team of doctors to pair up with cybersecurity researchers doing the hacking.
“It really helps to create that hospital environment for the [cybersecurity] researchers to work,” Chris Tyberg, vice president of Abbott’s product security division, told me. “It will help them understand how these devices are really used, how they fit into the clinical setting, how a patient really uses this.”
The FDA has also invited patients with implanted medical devices to weigh in at the village, some of whom are also cybersecurity researchers, Schwartz told me.
“There is no intent toward making [patients] into subject matter experts, but certainly they need to speak the same language,” she told me, “to be able to have significant enough understanding that they can make that benefit-risk calculus so we can have an informed dialogue with patients around what those cybersecurity risks are.”
This is the last Cybersecurity 202 newsletter this week, due to the congressional recess schedule. Stand by for more news on the collaboration between the government nad ethical hackers in Las Vegas in next week’s editions.