In what seems like something that should be relegated to a bad action movie or the sinister deeds of some cartoon villain, researchers have demonstrated that hackers have the capability to send radio signals that could reprogram implantable medical devices, such as pacemakers or insulin pumps. Fortunately, there have been no actual cases of fiends roaming the streets striking dead people dependent upon pacemakers, but the mere fact that it is a possibility is frightening.
I honestly do not think that in his worst nightmare, Wilson Greatbach, the inventor of the implantable pacemaker, who passed away September 28 at the ripe old age of 92, could have envisioned someone using an external signal to disrupt the heart-regulating device or drain its battery causing the person’s heart to stop beating. However, in the sad reality that is modern society, where hackers need no reason to ply their dastardly deeds beyond, “I’m bored, what can I mess with?” it almost stands to reason – no matter how morbid that reasoning may be – that, when developing current generations of pacemakers, scientists need to consider how they can be hacked.
If it can be done in a lab it can be done in real life, so while the above scenario sounds frightening there is hope. Researchers at MIT and the University of Massachusetts are currently developing external radio-frequency jamming equipment that today's pacemaker users can wear to protect themselves. Scientists are also working on embedding such equipment into future generations of pacemakers.
This brings up a good question, though – what else remains from previous generations in these medical devices that may be vulnerable to modern technology?
Improving on technology usually means not having to recreate the wheel. With all of the technology that goes into one of these devices, they cannot possibly be “re-invented” every time a new version is built or an improvement added. This means that legacy software abounds in these devices and code that may or may not have been vulnerable to breach years or even decades ago may now represent a weak link in the device.
As science continues to build upon these devices and add improvements, one hopes that they are focusing on not only what’s new, but also what is old in them. The problem that exists there, of course, is that there are so many lines of code that need to be assessed. Add to that code that is written in antiquated languages, lines of code that do not need to be included or no longer meet up with current standards and device manufacturers cannot depend upon manual assessments, which would be grossly inefficient at uncovering possible issues with code that regulates, controls and monitors these devices.
Much as it does identifying issues with enterprise applications – the life’s blood of today’s business – automating analysis of the software that runs the device would certainly be a more efficient tool in identifying issues with embedded legacy applications in medical devices and ensuring the structural quality of the software that runs them.
By using automated analysis and measurement to identify issues with code embedded in medical devices, companies can get to the heart of the matter and keep unauthorized hacking of implanted medical devices something found only in the lab or the silver screen.
Erik Oltmans, an Associate Partner from EY, Netherlands, spoke at the Software Intelligence Forum on how the consulting behemoth uses Software Intelligence in its Transaction Advisory services.
Erik describes the changing landscape of M & A. Besides the financial and commercial aspects, PE firms now equally value technical assessments, especially for targets with significant software assets. He goes on to detail how CAST Highlight makes these assessments possible with limited access to the targetâ€™s systems, customized quality metrics, and liability implications of open source components - all three that are critical for an M&A due diligence.