While the FDA certainly doesn't ban patches, the FDA approval process is fairly lengthy for changes of any kind, Hoyme noted, saying Boston Scientific typically experiences anywhere from one to nine months.
Medical devices such as pacemakers take years to develop and be approved by the FDA and are designed to have long battery life and durability of a decade. So planning for security risk is complicated based on such a long timeframe, Hoyme and other researchers agree."The industry has a lot of challenges," acknowledged Hoyme. Boston Scientific itself is defining an encryption approach it hopes to apply in the future. But the reality for the industry is that it must acknowledge the potential for attackers to try and tamper with implantable devices and supporting software used to remotely maintain them.
Also speaking on the DAC panel, Niraj Jha, professor electrical engineering at Princeton University, said the broad range of medical devices has basically opened "a big attack surface."
Threats range from wireless tampering, wireless battery draining, malware and software exploitation, and various side channel attacks related to tampering, he said. Looking at implantable devices, he pointed out they are really embedded systems" associated with a "body area network."
It's become an accepted idea that medical devices can be compromised, as researchers have publicly demonstrated in the past, such as McAfee researchers last year did through a remote compromise of an insulin pump, Jha noted.
Jha said it's fairly simple for an attacker to put together an attack tool to intercept radio communications based on about $800 worth of hardware and software that can be easily found and carry out attempts to compromise some medical devices from 20 meters away.
The question now, said Jha, is what can be done to improve this inadequate security. University researchers are tackling the problem in various ways, he pointed out. Princeton and Purdue researchers teamed last year to come up with a kind of firewall for implantable devices called MedMon that would be used in pacemakers, insulin-delivery systems and brain implants. "It's like a firewall, it monitors traffic," said Jha. "It snoops on all communication to and from the device." If it detects an anomalous pattern or what it deems to be a malicious signal, it jams it.
Jha noted that researchers from Massachusetts Institute of Technology came up with what's called "Shield" that's intended to protect the security of information flowing from implantable medical devices and jam all unencrypted commands to the implanted device.
But the security problems in medical devices that summon up research concepts based on firewalls and encryption still haven't been ironed out in a way that would enable widespread use. Efficient encryption is hard not only because of the key exchange challenges but because encryption adds considerable overhead processing. However, one researcher on the panel, Ingrid Verbauwhede a professor from Katholieke Universiteit Leuven in Belgium, pointed out elliptic-curve cryptography is likely the most efficient technology for this.
Sign up for CIO Asia eNewsletters.