Natural Health

Heart Devices May Be Vulnerable To Hackers

By: Drucilla Dyess
Published: Monday, 17 March 2008
pacemaker in chest

Printer Friendly

Text Size smaller bigger


According to an academic paper published March 12th at Secure-Medicine.Org, computer scientists from the Beth Israel Deaconess Medical Center, Harvard Medical School, the University of Massachusetts Amherst, and the University of Washington, have found that a combination pacemaker and defibrillator with wireless capabilities can be hacked. The paper (with some technical details omitted to protect against malicious copycats) will be presented May 19th at a security and privacy conference in Oakland, California, sponsored by the Institute of Electrical and Electronic Engineers.

The team of computer security researchers reported that it had been able to gain wireless access to the Medtronic Maximo DR combination heart defibrillator and pacemaker (Medtronic is the industry leader in cardiac regulating implants). The researchers were able to reprogram the device to shut down or to deliver jolts of electricity that would potentially be fatal to a person who was wearing the device.

Several million pacemakers and defibrillators have been implanted in patients in the United States. Defibrillators shock hearts, that are beating abnormally, back into normal rhythms. Pacemakers gently stimulate the heart to either slow or speed it up.
The research team was also able to pick up personal patient data by eavesdropping on signals from the tiny wireless radio that the manufacturer had embedded in the implant for use by doctors to monitor and adjust the device without performing a surgical procedure.

This information does not mean that all implant patients should be alarmed in regards to the security of the devices as it took more than $30,000 worth of lab equipment and a the technical expertise of a team of specialists to read the data gathered from the implant’s signals. And, the device tested was placed within two inches of the test gear.

The researchers stated, "We believe that the risk to patients is low and that patients should not be alarmed. We do not know of a single case where an IMD (implantable medical device) patient has ever been harmed by a malicious security attack. To carry out the attacks we discuss in our paper would require: malicious intent, technical sophistication, and the ability to place electronic equipment close to the patient. Our goal in performing this study is to improve the security, privacy, safety, and effectiveness of future IMDs."

The research paper is called “Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses.” The researchers outlined defensive possibilities that would enhance security without draining an implant’s battery including methods for warning a patient of possible tampering or requiring that an incoming signal be authenticated, using energy harvested from the incoming signals.

The research team chose Medtronic’s Maximo, as it was typical of many implants with wireless communications features. Radios have long been used in implants so that doctors can test them when patients are in for office visits. However, manufacturers are now designing devices for use over the Internet, allowing doctors to monitor patients from remote locations.

Medronic issued an email statement reporting that wireless security issues have been known for 30 years and that Medronic pays close attention to them. The company stated that it welcomed the opportunity to address security concerns with regulators and researchers with expectations that "such dialogue must be accurate, balanced and responsible."

"While all implanted devices must use wireless telemetry for programming -- typically in very close range (several inches to several feet) -- the risk of any deliberate, malicious, or unauthorized manipulation of a device is extremely low," Medtronic said. "In fact, to our knowledge there has not been a single reported incident of such an event in more than 30 years of device telemetry use, which includes millions of implants worldwide."

The researchers believe that the test results propose that not enough attention has been paid to security in the production of medical implants equipped with communications capabilities.

Dr. William H. Maisel, a cardiologist and director of the Medical Device Safety Institute at the Beth Israel Deaconess Medical Center in Boston, was a participant in the project and said that the results were shared with the F.D.A. (Food and Drug Administration) last month. He stated, “We feel this is an industry-wide issue best handled by the F.D.A.”

The F.D.A. has increased the examination of radio devices in implants, but the focus has been on interference from other equipment compromising the safety or reliability of radio-equipped medical implants. However, in January, the agency published a document with a list of concerns about wireless technology that device makers needed to address which included the issue of security.

The implant industry’s second ranking Boston Scientific stated that its implants, “…incorporate encryption and security technologies designed to mitigate these risks.” In addition, St. Jude Medical, the third major defibrillator company, said it used “proprietary techniques” to protect the security of its implants and had not heard of any unauthorized or illegal manipulation of them.

Dr. Maisel advised that patients should not be alarmed by the discussion of security imperfections stating, “Patients who have the devices are far better off having these devices than not having them. If I needed a defibrillator, I’d ask for one with wireless technology.”