“Medical care is the next cyber warfare,” technologist Janine Medina explained Thursday at a panel on the cybersecurity problems posed by the emerging prevalence of internet-connected medical and body-embedded devices.
Medina appeared alongside several other panelists at the Atlantic Council to discuss how “Internet of Bodies” (IoB) devices could pose security challenges requiring novel regulatory solutions. The conversation comes in the context of several high-profile attacks using Internet of Things-related devices, as well as the major leak of collected personal information after the hacking of credit-rating agency Equifax in July. According to Medina, as well as co-panelist Andrea Matwyshyn, the increasing incorporation of Internet of Things devices into human bodies, especially for medical purposes, exposes new risks for which individuals, corporations, and the government are insufficiently prepared.
The so-called “Internet of Things” (IoT) refers to the trove of internet-enabled devices beyond one’s laptop: the internet-connected car or thermostat or alarm clock. One analysis suggests there are now some 8.4 billion IoT devices, projected to grow to 20.4 billion by 2020.
Among these devices, Matwyshyn explained, are an increasing number of body-related tools, both medical and not. These may be as insignificant as fitness trackers like FitBit, or as complicated as the antenna that artist Neil Harbisson had implanted directly into his skull in order to “hear” color.
The increasing prevalence of body-connected devices prompted Matwyshyn to develop her concept of the Internet of Bodies, referring to all of the internet-connected bodily devices, from heart monitors to pacemakers. As medicine and recreation both grow to increasingly depend on internet-connected body devices, she said, it will face novel legal and security challenges.
“The legal and technological challenges of the Internet of Things will transfer into this Internet of Bodies,” Matwyshyn said, “particularly the challenges we’ve faced with respect to rampant security vulnerabilities in the Internet of Things.”
These vulnerabilities include the ease of IoT devices being appropriated by hackers into so-called botnets, which can be used to contribute enormous amounts of processing power to attacks on websites. Last October, the Mirai botnet attack temporarily took down major sites including Twitter, Spotify, and PayPal primarily using a “swarm” of IoT devices. Other vulnerabilities include internet-connected devices susceptible to ransomware attacks, like the WannaCry infection that infected more than 200,000 computers in May.
The IoB, however, poses particular security challenges beyond those inherent in more mundane IoT devices. “The Internet of Bodies will for the first time mean that software will start causing physical harm to human bodies with some regularity, and this is a new step for law in particular to deal with, and to resolve the harms that will result from that,” Matwyshyn explained. Hacking of a toaster is one thing; hacking of a liver, something else entirely.
It is not entirely clear which actors would take advantage of the vulnerabilities inherent in the IoB, at least according to the panel’s response to a question from the Free Beacon on the topic.
“Ultimately, any vulnerability can be exploited by anyone who can write the code, regardless of what their intentions are,” Matwyshyn explained. She emphasized that minimizing vulnerabilities in IoB devices is essential, given the possibility of misuse by individuals and states alike.
With the ways the IoB could be misused still unclear, federal trade commissioner and panel member Terrell McSweeny argued, oversight from regulators is more important than ever.
“I think the FTC has been doing a terrific job with the existing authority that it has, doing the best that it can do to try to protect consumers in our increasingly connected economy and world, but I think it needs additional authorities,” McSweeny said.
She called for comprehensive privacy legislation to better secure individuals’ private medical information and other data collected by devices; clear regulatory lines drawn around what data can and cannot be used for; and a recognition that different regulators will need to collaborate, because the solutions for IoB devices are different from the solutions for driverless cars.
“And I think we need civil penalty authority,” McSweeny added, “because I think we need a bigger stick.”