Humans may also be infected with PC viruses

British researcher, who demonstrated that virus on implanted chip could infect external systems, says effort throws security spotlight on implanted medical devices.

New research that points to the ability of a chip implanted in a human body to infect and be infected by other systems and devices, may potentially have serious implications for implanted medical devices, which are becoming more pervasive.

British researcher Mark Gasson found that a virus-infected chip implanted in his hand was able to contaminate external systems, as well as devices that connected to those systems, Xinhua News Agency reported last month.

In response to e-mail queries from ZDNet Asia, Gasson said the aim of the research was to draw attention to the lack of security in implantable devices, including medical ones.

"Most medical devices have little if any security, and as the technology develops, they will likely become vulnerable to attacks specific to that technology, and so we need to consider this as we develop the technology," he explained. "At this stage, we know of no medical device which is at immediate risk, but the potential is there in the future unless we address the problems of security."

According to the senior research fellow at the University of Reading's School of Systems Engineering, the chip implanted in his left hand near the base of his thumb allowed him to gain access to a building, as well as to operate a designated mobile phone. It was in his body for over a year before a vulnerability in the technology was deliberately exploited.

The computer virus was then able to infect the building access system, as well as devices that connected to that particular system. In a separate experiment, the building access system was used to pass the virus onto the chip implant in Gasson.

Tied in with Gasson's assertion that persons with invasive medical implants "over time consider them to actually be part of their body", the researcher said the scenario can be stated as computer viruses infecting humans.

Lack of common platform limits attack impact
Ronnie Ng, Symantec's senior manager for systems engineering in Singapore, pointed out in an e-mail interview that as devices such as medical implants increase in popularity, cybercriminals will "find new ways to exploit the vulnerabilities in these devices in an effort to gain profit and valuable information".

According to Ng, most medical systems are currently proprietary and address a small percentage of the population, while attackers typically target vulnerabilities that will offer the biggest returns. However, there is a possibility that a standardized operating system will be developed for similar devices, which then makes this category a lucrative target for attackers.

"In a worst-case scenario, any infection or damage caused by malware could potentially negatively impact its user," he noted. "As the functions of implants would vary from person to person, any impact would likely be localized. However, once that happens, damage to the brand and image of the institution could be severe."

Should a virus get onto an implanted medical device, the removal process would be similar to getting rid of malware on a PC, Ng added. "The device can be restored to its factory settings or reprogrammed, which should remove any malware and close the security hole."

As such implants become more sophisticated, programs and utilities will also likely be created specifically to manage and secure these devices, whether solely from a medical device manufacturer or in partnership with a security vendor, he said.

He added that health authorities and medical bodies should look at implementing "stringent protocols and policies to govern the quality, usage and security of all medical implants". This is particularly for any component that has or could potentially have access to sensitive data.

A spokesperson from Singapore's Health Sciences Authority, which regulates health products in the country, said common implantable active medical devices include cardiac pacemakers and cardiac defibrillators for patients with disorders relating to heart rate or rhythm. There are also implantable drug delivery systems for administering therapeutic drugs such as insulin in a controlled manner.

In the e-mail response, the spokesperson said software underlying such medical devices is usually designed with security features such as encryption. "Manufacturers of these devices remain responsible for the safety and quality of their devices and are expected to continue to enhance the security system as technology advances," she added.

In a statement Monday, market analyst Frost & Sullivan said the overall medical device market in the Asia-Pacific region will grow at a compound annual growth rate of 10.2 percent between 2009 and 2012, to reach US$62.3 billion by the end of the forecast period. Regional revenues are expected to make up just over a quarter of global market estimates for 2012.