“Too vulnerable, over 150-200 breaches”

A medical device, from a pacemaker to a defibrillator, a wireless connection and that’s it for the hacker: the door opens to be able to manipulate the software and create danger. The target? The company that produces them and also the patient who wears them. Already Dick Cheney when he was vice president of the USA asked his cardiologists to remove the wireless function from his defibrillator for fear of being subjected to a terrorist attack against him. At the time an excess of ‘spy story’ but today it has become a trend to be observed very carefully.

“In the last 5 years, between 150-200 hacker attacks on medical devices have been recorded, made to extort money from the companies that produce them – demonstrating their security fragility – or to undermine the health of political figures. Medical devices are vulnerable objects because they are increasingly connected and which to date do not have any type of regulation that guarantees their safety from this point of view”. This was explained to time.news Salute by Gaetano Marrocco, full professor of Electromagnetic Fields at the University Tor Vergata in Rome and coordinator of the course in Medical Engineering, department of Civil Engineering and Computer Engineering. On the fears of diplomats wearing pacemakers, “there have been cases of diplomatic personalities visiting some countries at risk who have had discomfort caused by the magnetic bombardment generated at a distance”, warns Marrocco.

It is precisely in the Tor Vergata university that the ‘Cyber4health’ conference is taking place today, which presents the observatory on the cyber and physical vulnerabilities of medical devices. As part of the research activities carried out in collaboration with the Cyber ​​4.0 Competence Center, the Tor Vergata University has created the ‘C4h – Cyber4health’ Observatory, a platform for the IT security of medical devices, among the first in the world in the of its kind, aimed at providing a basis of technical and legislative knowledge on the vulnerability of medical devices, especially wireless, with respect to possible IT and electromagnetic attacks. “Smartwatches, pacemakers, defibrillators, insulin pumps, neuro-stimulators – adds Marrocco – are an open window from which one can exit but also enter and it can be done from afar by sending a malicious signal”.

The Observatory wants to stimulate a culture of ‘Cyber-Physical Security by Design’ which, starting from the knowledge of already ascertained or plausible problems, can mitigate the risks already in the definition phase of the medical device and the value chain enabled by it. “By bringing together expertise on medical devices, computer networks, electromagnetism, we created a platform where data on the vulnerability of medical devices was collected, also analyzing the scientific articles that dealt with the topic. Then it was assigned to systems used a vulnerability score, ‘Common Vulnerability Scoring System (Cvss), also based on the impact on the patient’s health”, recalls the teacher.

“The topic of cyber-physical security of medical devices assumes significant relevance for manufacturers, hospitals and patients especially in the current, and future, scenario of growing interconnection”, underlines Marrocco. Today there are millions of complex devices, “for example pacemakers, but also ‘stupid’ implanted devices – he explains – or rather that today they don’t have a detection activity but tomorrow they will be able to have it. I’m thinking of hip, knee, , today they only have a mechanical function but will soon be sensorized with a small processing unit. For example, a banal prosthesis can become intelligent and measure the temperature or understand if there is an infection. But at that point we will multiply the vulnerable objects by a thousand “.

The final message from Professor Marrocco is that “we must not be afraid”, but the objective of the work “is that the issues related to security” against hacker attacks and those “of always guaranteeing the health of patients, become requirements when the devices are designed”.