Supported by
A Heart Device Is Found Vulnerable to Hacker Attacks
To the long list of objects vulnerable to attack by computer hackers, add the human heart.
The threat seems largely theoretical. But a team of computer security researchers plans to report Wednesday that it had been able to gain wireless access to a combination heart defibrillator and pacemaker.
They were able to reprogram it to shut down and to deliver jolts of electricity that would potentially be fatal if the device had been in a person. In this case, the researcher were hacking into a device in a laboratory.
The researchers said they had also been able to glean personal patient data by eavesdropping on signals from the tiny wireless radio that Medtronic, the device’s maker, had embedded in the implant as a way to let doctors monitor and adjust it without surgery.
The report, to published at www.secure-medicine.org, makes clear that the hundreds of thousands of people in this country with implanted defibrillators or pacemakers to regulate their damaged hearts they include Vice President Dick Cheney have no need yet to fear hackers. The experiment required more than $30,000 worth of lab equipment and a sustained effort by a team of specialists from the University of Washington and the University of Massachusetts to interpret the data gathered from the implant’s signals. And the device the researchers tested, a combination defibrillator and pacemaker called the Maximo, was placed within two inches of the test gear.
Defibrillators shock hearts that are beating chaotically and dangerously back into normal rhythms. Pacemakers use gentle stimulation to slow or speed up the heart. Federal regulators said no security breaches of such medical implants had ever been reported to them.
The researchers said they chose Medtronic’s Maximo because they considered the device typical of many implants with wireless communications features. Radios have been used in implants for decades to enable doctors to test them during office visits. But device makers have begun designing them to connect to the Internet, which allows doctors to monitor patients from remote locations.
The researchers said the test results suggested that too little attention was being paid to security in the growing number of medical implants being equipped with communications capabilities.
“The risks to patients now are very low, but I worry that they could increase in the future,” said Tadayoshi Kohno, a lead researcher on the project at the University of Washington, who has studied vulnerability to hacking of networked computers and voting machines.
The paper summarizing the research is called “Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses.” The last part refers to defensive possibilities the researchers outlined that they say would enhance security without draining an implant’s battery. They include methods for warning a patient of tampering or requiring that an incoming signal be authenticated, using energy harvested from the incoming signals.
But Mr. Kohno and Kevin Fu, who led the University of Massachusetts arm of the project, said they had not tried to test the defenses in an actual implant or to learn if anyone trying to use them might run afoul of existing patent claims.
Another participant in the project, Dr. William H. Maisel, a cardiologist who is director of the Medical Device Safety Institute at the Beth Israel Deaconess Medical Center in Boston, said that the results had been shared last month with the F.D.A., but not with Medtronic.
“We feel this is an industry-wide issue best handled by the F.D.A.,” Dr. Maisel said.
The F.D.A. had already begun stepping up scrutiny of radio devices in implants. But the agency’s focus has been primarily on whether unintentional interference from other equipment might compromise the safety or reliability of the radio-equipped medical implants. In a document published in January, the agency included security in a list of concerns about wireless technology that device makers needed to address.
Medtronic, the industry leader in cardiac regulating implants, said Tuesday that it welcomed the chance to look at security issues with doctors, regulators and researchers, adding that it had never encountered illegal or unauthorized hacking of its devices that have telemetry, or wireless control, capabilities.
“To our knowledge there has not been a single reported incident of such an event in more than 30 years of device telemetry use, which includes millions of implants worldwide,” a Medtronic spokesman, Robert Clark, said. Mr. Clark added that newer implants with longer transmission ranges than Maximo also had enhanced security.
Boston Scientific, whose Guidant division ranks second behind Medtronic, said its implants “incorporate encryption and security technologies designed to mitigate these risks.”
St. Jude Medical, the third major defibrillator company, said it used “proprietary techniques” to protect the security of its implants and had not heard of any unauthorized or illegal manipulation of them.
Dr. Maisel urged that patients not be alarmed by the discussion of security flaws. “Patients who have the devices are far better off having these devices than not having them,” he said. “If I needed a defibrillator, I’d ask for one with wireless technology.”
Explore Our Business Coverage
Dive deeper into the people, issues and trends shaping the world of business.
Ghost Kitchens Are Disappearing: Delivery-only operations boomed during the pandemic. Now Wendy’s, Kroger’s and mom-and-pop food businesses are rethinking their operations.
Axios Shifts Its Strategy: Jim VandeHei, the chief executive of Axios, is becoming one of the first news executives to adjust their company’s strategy because of A.I.
The Worst Part of a Wall Street Career: A.I. tools can replace much of Wall Street’s entry-level white-collar work, raising tough questions about the future of finance.
Combining Business and Leisure Travel: As employees increasingly add leisure time to their business trips, companies are trying to figure out where their duty of care obligations begin and end.
Inside Executive Protection Jobs: Here’s how three women trained to work in jobs protecting prominent families and ultra-high-net-worth individuals.
Gen X-ers Inch Toward Retirement: The oldest members of Generation X are several years from stopping work, but some are already seeking homes that will suit their later years.
Advertisement