UA Surgeon Takes on 'Medjacking'

Dr. David G. Armstrong has joined an elite committee studying medical device cybersecurity.
July 17, 2015
Dr. David G. Armstrong
Dr. David G. Armstrong

It's the stuff of prime-time TV drama: Terrorists hack into a vice president's pacemaker and assassinate him with electrical shocks to the heart.
 
While the storyline is a work of fiction, the potential for "medjacking" — or malicious medical-device hacking — is real.
 
Dr. David G. Armstrong, a professor in the University of Arizona Department of Surgery and a member of the BIO5 Institute, is joining forces with the U.S. Department of Homeland Security, the U.S. National Security Council, NASA and other government agencies and industry leaders to create strategies to keep the world safe from medjacking.
 
Armstrong, a podiatric surgeon and the director of the UA's Southern Arizona Limb Salvage Alliance, is the lone medical academician on the Cybersecurity Standard for Connected Diabetes Devices Steering Committee, which meets for the first time July 20 and 21 in Bethesda, Maryland.
 
The UA is well-represented on the committee with the inclusion of Hsinchun Chen, a UA Regents' Professor and the Thomas R. Brown Chair of Management and Technology in the UA Eller College of Management, who also is director of the UA Artificial Intelligence Lab.
 
While devices associated with diabetes are the initial focus, Armstrong said the committee is expected to examine the security of other medical devices.

"As connected devices become more pervasive and powerful, the potential for malicious medical device hacking is becoming increasingly real," Armstrong said. "Medical devices — insulin pumps, pacemakers, artificial hearts, left ventricular assist devices, artificial pancreas constructs — are susceptible to the same unintentional or intentional and nefarious interruption and invasion as are bank accounts, ATM machines and credit-card devices.”
 
While medjacking currently exists in the imagination and in laboratories, Armstrong said it is only a matter of time before the issue "comes front and center."
 
"No one really thinks about these things until there is catastrophic failure," he said. "These sorts of hacks are definitely feasible, and reasonably clever people without a lot of resources can do some serious damage. We are trying to get out in front of this problem."
 
The challenge for the Cybersecurity Standard for Connected Diabetes Devices Steering Committee is to mitigate danger without stifling innovation. Armstrong said patients must be confident in the safety of their medical devices, and companies must be secure that they are investing millions of dollars in technology that is safe from cyberattack.
 
The committee will examine how key elements included in embedded systems within devices can make them less susceptible to failure or malicious or unintentional breech.
 
The committee was formed after Armstrong collaborated on the manuscript "The Regulation of Wireless Devices for Performance and Assurance in the Age of 'Medjacking'" with UA cardiologist Dr. Marvin J. Slepian, professor of medicine and biomedical engineering and a member of the Sarver Heart Center; David N. Kleidermacher, BlackBerry chief security officer; and Dr. David Klonoff, a California diabetologist who chairs the Diabetes Technology Society. The manuscript, currently under review by medical publications, proposes setting guidelines for medical device cybersecurity and would be the first in medical literature to use the term "medjacking," Armstrong said.
 
With manuscript in hand, Klonoff helped establish the Cybersecurity Standard for Connected Diabetes Devices Steering Committee. Members include representatives from Homeland Security, the U.S. National Security Council, the U.S. Food & Drug Administration, NASA, the National Institute of Standards and Technology, the National Institutes of Health and the U.S. Department of Defense. Also on the committee are industry leaders from Bayer, BlackBerry, Medtronic and Sanofi, as well as academic engineers and mathematicians.
 
Armstrong predicts efforts could inspire collaboration among UA faculty resulting in invention, intellectual property and new businesses.

"The greater story is this falls right into the UA's Never Settle strategic plan, wherein clinicians and scientists come together with people from industry and the government to innovate and develop the next generation of technology to help people navigate their world and make life better," he said.
 
Discussion has swirled around the concept of medjacking for years.

"Since at least 2012, we have been talking about the impending merger of medical devices with consumer electronics," Armstrong said. "Even the most advanced medical devices are similar to the things we have in our pockets or in our hands — iPhones, tablets, home computers."
 
For that reason, we all have various IP addresses in or on us, which can make us susceptible to cyberattack. "These are all parts of what we call the 'Internet of Things,'" Armstrong said.
 
The conversation heightened in December, when brothers-in-law Armstrong and Kleidermacher, the new chief security officer for BlackBerry and one of the world's top experts in embedded systems security, discussed the issues while walking their dogs.

They looped Slepian and Klonoff into the conversation during that same walk, and the collaboration took off.
 
"We want guidelines in place so we can assure people that their medical devices are safe," Armstrong said. "Medjacking will ultimately have its 15 minutes of fame, but we are trying to get out in front of those 15 minutes so we can focus on the promise and not the peril."