Researchers Killed a Simulated Human By Turning Off Its Pacemaker
With the increase in hacking these days, right from infecting a computer to remotely hacking a car in motion, one may wonder what would happen if a hacker decides to compromise your bionic arm, your pacemaker, or maybe your brain implant. Thanks to some students at the University of South Alabama, we have an answer: You die!
To see what would be the outcome of hacking a medical grade human simulation, a group of undergraduates recently at the university spent a few hours to find the same. And the results were as one would expect.
Meet iStan, the “most advanced wireless patient simulator on the market” with internal robotics that mimic human cardiovascular, respiratory, and neurological systems,” according to its manufacturer, https://www.caehealthcare.com/eng/patient-simulators/istan#block_3429. “When iStan bleeds, his blood pressure, heart rate and other clinical signs change automatically, and he responds to treatment with minimal input from an instructor. With wireless operation, iStan can be placed in any field location, including an automobile, and display all the vital signs and signals of a critically ill or injured patient,” CAE Healthcare added.
Costing $100,000, the simulated iStan is frequently used by hospitals to show and explain medical school students how to carry out procedures without killing people.
Mike Jacobs, Director of the simulations program at University of South Alabama, told Motherboard “They sweat, they cry, they talk. It responds to 300 different types of simulated medications and procedures, and the physiological response is identical to that of a human.”
Jacobs and his team decided to find out whether the medical training dummy was susceptible to similar types of attacks as compared to our regular technology. They carried out attacks that could be launches against iStan, concentrating on the communications between it and its controlling laptop’s front-end platform that utilizes Adobe Flash Player and Muse.
With no connected devices whatsoever, iStan, as a robot is much more susceptible to hacking than a human. However, iStan is almost certainly not more hackable than your average pacemaker, which has time and again proved to be susceptible. In contrast to a real human, one need worry about going to jail if you can hack iStan.
“The simulator had a pacemaker so we could speed the heart rate up, we could slow it down. If it had a defibrillator, which most do, we could have shocked it repeatedly. If it was the intent, we could definitely cause harm to the patient,” Jacobs said. “It’s not just a pacemaker, we could do it with an insulin pump, a number of things that would cause life-threatening injuries or death.”
iStan was handed over to a group of undergraduate students taking a cybersecurity class for a semester by Jacobs, who is not a hacker. The team of students was able to gain access to most of iStan’s functions just within a few hours, indicating that iStan’s operation was susceptible to denial-of-service attacks, security control attacks, and its PIN security lock could be busted open through brute force.
“We did this because we were wanting to beef up security on our end and put some safeguards in place. It may not be totally possible to prevent hackers, but, knowing these can easily be hacked increases your awareness of vulnerabilities,” he said. “It’s definitely concerning—if there’s a high profile individual with a medical issue, it certainly makes them vulnerable.”
The researchers went on to explain that “for security reasons” they were not revealing the actual PINs or full device MAC addresses.
The university’s hospital is looking into ways to wirelessly encode transmitted data sent between medical devices, added Jacobs.
The results were published by the team in the preprint journal arXiv, which means that their work has not yet been reviewed by their peers. work has not been peer reviewed yet. The doctors need to be prepared to cope with hackers and cyberattacks in hospitals in the future, suggests the team.
“Future practitioners will be trained to deal with medical device failures, byzantine or otherwise,” they wrote. “[Medical schools] will reinforce the use of alternate or traditional techniques that do not rely on technology.”