Every single day we find novel ways in which we can make use of technology in our daily lives.
This is not a situation where some malware would pester your personal computer- Antonio Ghio
The emergence of the IPv6 protocol is seen as one of the most important building blocks for the internet of things by which demand, cost reduction, mobility and miniaturisation will mean that all our devices will in some way or another be connected to the internet. Through this complex architecture, everyday devices will become part of an intelligent framework within which every appliance or machine we use has its own unique address.
This revolution has already also been felt in the medical world where patents for intelligent medical cabinets have already been registered. The leveraging of RFID technology within the healthcare sector is but one of these developments. Imagine waking up in the morning, walking to your bathroom and the mirror in front of you would indicate what medicine you require on that particular day and time dependant on your medical condition and the ability to let your intelligent medicine chest autonomously and intelligently re-order your medicines on the fly so you never run out of your pills. This will be the future of the truly networked home.
The dependence of medical developments on technology has however triggered a number of concerns about the security of the delivery of wireless and radio signal instructions to healthcare related devices such as insulin pumps, pacemakers and heart defibrillators.
This is not a situation where some malware would pester your personal computer or render your machine into a zombie and therefore forming part of some huge conglomeration of infested terminals that would be used to launch some DDOS attack. This is not a situation where specific computer viruses are unleashed to attack the national critical infrastructure of a country through the illegal and remote modification of electricity systems.
Neither is this a situation where your kids would play funny tricks on your connected refrigerator and order a year’s supply of vanilla peanut brittle ice-cream without your consent. Malicious attacks targeting our essential medical necessities are dead serious.
Recently, researchers at McAfeediscovered ways in which they could scan and remotely modify the workings ofinsulin pumps within a 100-metre range. Similarly, scientists from the University of Massachusetts Amherst found a way whereby they could re-broadcast radio signals used within specific heart defibrillators, enabling them to switch them off at will.
In the mad rush to put on the market life-saving equipment that can improve our lives, medical advancements based on technological innovation have unfortunately underestimated the importance of internet and computer security. Suddenly there is a realisation of the fact that computer security should be ubiquitous in all devices that are connected to the internet and not just our home computers.
The ability of hackers to launch malicious attacks against medical devices which are connected to this internet of things should not be underestimated.
Legally speaking, our laws already cater for the challenges that cybercrime may pose to the internet of things and any attacks that a healthcare related device might face. The definition of ‘computer’ found in our criminal code is wide enough to encompass both traditional computing devices but also the revolution that a truly connected world will bring.
In fact, in Article 337B(1) of our Criminal Code, computer is defined as an electronic device that performs logical, arithmetic and memory functions by manipulating electronic or magnetic impulses and includes all input, output, processing, storage, software and communication facilities that are connected or related to a computer in a computer system or a computer network.
In addition, computer network is defined in our law as the interconnection of communication lines and circuits with a computer through a remote device or a complex consisting of two or more interconnected computers. Therefore, these definitions would apply not only to your tablet but also to your pacemaker or refrigerator. These devices would all be treated as a computer as long as they are connected to a computer network or the internet.
Article 337C(1) of the Criminal Code explicitly provides that anyone who without authorisation intercepts by technical means, non-public transmissions of data to, from or within a computer system including electromagnetic emissions from such computer or hinders or impairs the functioning or operation of a computer system will be guilty of a cyber offence.
Rarely do our laws manage to keep up with technological innovation but in this case the legislator was forward looking to ensure that developments in technology and the way we use such technology would not create unnecessary and dangerous lacunae in our cybercrime legislation.
The fact that our laws can handle the risks posed by the internet of things is not sufficient. Computer security shouldbe ingrained in all connected devices including medically oriented devices in order to ensure that we not only have the law as deterrent but that everything is built around strong security in order to minimise risks.
Dr Ghio is a partner at Fenech and Fenech Advocates, specialising in ICT Law (www.fenechlaw.com). He also lectures in ICT Law and Cybercrime at the University of Malta.