Sunday, November 22, 2020

Sunday Long Read: The Heart Of The Hackability Problem

I've mentioned more than a few times how the Internet of Things is pretty dangerous these days, because the now billions of devices connected to the internet aren't all exactly tooling around with bulletproof security on connections. But what if one of those "things" the internet is connected to is basically your very life itself?
 
Three nights before Christmas 2016, I was standing in my bathroom when a gallop broke out across my chest. It was ventricular tachycardia, a dangerous kind of arrhythmia where only one side of the heart pumps and does so at high speed, denying blood from moving through it. At the age of 23, I’d had arrhythmias all my life, but had never felt anything like this. Twenty minutes later, with the arrhythmia still going, I was in the back of a parked ambulance. Alone with the EMTs, I braced for the shock of a defibrillator.

The pain was overwhelming, like being grilled alive. It ran out from a center point in my chest and flowed into every organ, every limb, into my fingers and toes. Later, waiting in the trauma section of the Mount Sinai emergency room, doctors shocked me again.

Months of testing followed. I started taking drugs that would help reduce my arrhythmias, but in addition, my doctors suggested they replace my pacemaker with something called an ICD. The ICD would be a fail-safe, a tiny defibrillator inside my body that could go everywhere that I went.

When I came across an FDA safety notice warning that some ICDs, namely those made by a company called St. Jude, could be hacked, I was only days away from surgery. Once hacked, the devices could allow an external actor to gain control of the ICD, reprogram its functions, and inflict all kinds of damage—even trigger death.

The week before surgery, I texted my nurse practitioner about the FDA warning. She responded quickly, “Don’t worry. We’re using a different brand,” as if the issue was settled. In the blur of acute disease, I ignored the instinct to dig further into what exactly these cybersecurity concerns might mean or what other concerns might be hiding just below the surface.

When they first came to market in the 1980s, ICDs (implanted cardioverter-defibrillators) were implanted rarely, mostly in patients who had already experienced a life-threatening episode of ventricular tachycardia or even cardiac arrest. They were often called “secondary prevention” tools — meaning a patient has already experienced a life-threatening event and the device had the potential to stop a second event. In the 40 years since, clinical guidelines have changed dramatically, and the use case for ICDs has broadened. The United States has become the biggest market in the world for ICDs, with new ICD implantations increasing almost ninefold from 1993 to 2006. Doctors now implant at least 10,000 new devices each month in the United States. Many of these devices are now used for “primary prevention,” meaning a patient hasn’t yet experienced an event that could be stopped by an ICD, but they might be at risk for one.

In the past 13 years, these devices have also been fully integrated into the so-called Internet of Things—millions of everyday consumer items being programmed for and connected to the internet. Once connected to the internet, the devices ease the work of physicians and hospitals, who can now manage the device and monitor the patient’s condition remotely. Patients are typically charged each time their device sends data to the hospital. Think of it as a subscription—for your heart.

ICDs are just one increasingly popular medical gadget in a rising sea of clinical and commercial wireless health devices. Whether it is the growing suite of cardiac-monitoring devices available at home and on the go or an Apple Watch outfitted with diagnostic software, we are outsourcing more and more of our health to internet-enabled machines.

Having now lived with an ICD for more than three years and a pacemaker for the preceding 14, I understand intimately the consequences of being a body paired to the grid. If your smart fridge loses connectivity, maybe your food goes bad a few days early. But if a wireless ICD experiences a failure, the result could be lethal. I am stalked by the fear of the device misfiring and have wondered endlessly whether the documented security risks posed by these devices could end up harming me.
 
It;s a fascinating story, and worth a read.  Hackable hearts, and wi-fi wetware? We're definitely not far from the cypberpunk visions of futurists and sci-fi authors. I just hope we end up doing it right.

No comments:

Post a Comment