Johns Hopkins students thwart fitness tracker hackers

The Internet of Things has long delivered on the promise of connecting everyday products such as smart thermostats, appliances, cars, and more.

But as the human body has come to occupy a central place in that connected landscape through fitness trackers, insulin pumps, pacemakers, and other wearable devices, the perils of cybersecurity have escalated.

Wirelessly infiltrating such medical devices to inflict harm has occupied many a fictional thriller—from the TV show Homeland to the novel Kill Decision—as well as real life policy debates such as the vulnerability of former Vice President Dick Cheney's pacemaker. In 2019, the U.S. Food and Drug Administration took the historic step of recalling a specific type of insulin pump because of potential cybersecurity risks.

Still, medical device manufacturers have continued to push products toward the market before they have implemented fully integrated cybersecurity measures, focusing more on making sure the products are safe for patients rather than from outside hacking threats.

Now, a new course offered by the Johns Hopkins Whiting School of Engineering, Medical Device Cybersecurity, is preparing students for the revised approval process mandated by the FDA, which has ramped up requirements for cybersecurity measures throughout the medical device design process.

"Protecting these devices from cyber threats is not just a technical challenge—it's a matter of patient safety," states the syllabus for the class, taught by Michael Rushanan, a lecturer in the Department of Computer Science who earned his PhD from JHU in 2016. "A security breach in medical devices like pacemakers and insulin pumps can have life-threatening consequences."

The class provides an in-depth review of FDA cybersecurity guidance and the processes needed to meet those relatively nascent government requirements—from the initial design and development steps through device deployment.

The course teaches real-world case studies and provides practical exercises and simulations—including a final project that requires students to build actual medical devices equipped with air-tight cybersecurity measures.

"We want the students to go into the field knowing how critical it is to apply cybersecurity risk management from the design stage," said Rushanan, chief scientist at Harbor Labs, the firm founded by retired Johns Hopkins professor Avi Rubin. "If you don't, device manufactures are going to continue to have a ton of problems at the end of the process that can cost them hundreds of thousands of dollars to fix."

Rubin, who started the Johns Hopkins Health and Medical Security Lab, said manufacturers have become more aware of security issues than they used to be thanks to new comprehensive FDA regulations. But, he added, the class is a first for teaching that new landscape—from understanding the regulatory landscape to incorporating those requirements into the design process.

"This is a first-of-its-kind course on the cybersecurity of medical devices with a focus on the specific issues and challenges inherent in that environment," Rubin said. "The high level of regulation and the cyber-physical nature of devices that interact directly with humans, along with the privacy sensitivity of health data represent a unique set of challenges. This course provides students with hands-on experience working specifically on medical device security. It will give students a launchpad into careers related to medical and healthcare security."

The students presented the products they developed with cybersecurity measures fully enmeshed in the designs on May 12. They included:

• ThermaTrack: provides real-time tracking of a patient's body temperature and can alert caregivers when it detects abnormal variations. The data is stored securely on the AWS cloud where it can be accessed through a web and mobile application.

• Cardio Crisis: ECG monitors heart activity through a sensor placed on the body and which is connected to a high-speed processor that transmits the data via Bluetooth to a smartphone application. It can detect cardiac irregularities in real time, allowing for quick responses by medical personnel.

• PulseLite: creates, analyzes, and displays echocardiographic data collected on a patient's body and provides remote monitoring to alert emergency contacts when abnormalities such as heart attacks are detected.

• HappyKittySleepyKitty: monitors sleep patterns and stress levels in individuals with PTSD and anxiety. The device tracks physiological indicators that correlate with stress spikes and sleep disturbances, providing real-time feedback and artificial intelligence-driven suggestions for interventions that can improve the users' well-being.

• NeuroMotion: tracks movement and other medical data for patients suffering from Parkinson's disease to determine if treatment is beneficial. It helps patients track their progress and optimize treatment plans that can assist with better recovery and positive mental health outcomes.