IMPLANTABLE CARDIOVERTER DEFIBRILLATOR WITH PACEMAKER: New research indicates that ICDs and other implantable medical devices may be susceptible to tampering when information is sent wirelessly to or from such a device.
Image: Courtesy of iStockphoto
-
The Best Science Writing Online 2012
Showcasing more than fifty of the most provocative, original, and significant online essays from 2011, The Best Science Writing Online 2012 will change the way...
Read More »
It sounds like the far-fetched plot of a sci-fi thriller: Bad guys strike down a high-ranking politician or captain of industry by hacking into and remotely tinkering with his or her pacemaker, insulin pump, implantable cardioverter defibrillator (ICD) or other medical implant. Unfortunately, new research shows such a scenario is no longer just science fiction.
Scientists from Harvard Medical School's Beth Israel Deaconess Medical Center in Boston, the University of Massachusetts Amherst and the University of Washington in Seattle say they were able to launch cyber strikes against and glean private patient data from an ICD's communication protocol while testing the device's safety and security.
The researchers tested a Maximo DR VVEDDDR (manufactured by Minneapolis-based Medtronic, Inc.), because it is a typical ICD with pacemaking (steady, periodic electrical stimulation) and defibrillation (single, large shock) functions that communicates with an external monitoring device smaller than a laptop. The monitoring device has a handheld antenna that the patient holds over his or her chest, where the ICD is implanted, to read information wirelessly. The scientists acknowledge their findings are limited to this particular ICD (available in the U.S. since 2003), but warn that it highlights potential dangers that manufacturers must address.
Surgeons routinely implant ICDs and pacemakers in patients with irregular heartbeats, generally placing them just under the skin below a patient's clavicle (collarbone) and attaching its whisker-thin wires inside the heart muscle or on its surface. An irregular heartbeat triggers the implanted device to send electrical shocks to restore a normal rhythm. Most such devices register and record such events, information that health care workers can access wirelessly via monitoring devices.
Imagine the consequences, though, if someone were to maliciously reconfigure a pacemaker remotely so that it fails to shock a speeding heart or, conversely, jolts one that is beating normally. Yet that is just what researchers caution could happen in a paper they are scheduled to present at the 2008 IEEE Symposium on Security and Privacy in Oakland, Calif., in May. In the paper, published on their Medical Device Security Center Web site, they wrote they had no trouble accessing unencrypted sensitive information in the ICD—including patient records and vital signs—and then reprogramming the settings determining when the appliance should administer electric shocks.
"Balancing security and privacy with safety and efficacy will become increasingly important as [implanted medical device] technologies evolve," the researchers wrote. They stressed that patients with ICDs, pacemakers, neurostimulators, implantable drug pumps and similar implantable medical devices (IMD) are not in imminent danger, pointing out that "no IMD patient has ever been harmed by a malicious security attack" to their knowledge. But they noted that tighter security and privacy controls are needed to prevent against potential strikes in the future.
Among the researchers' hacking arsenal: an eavesdropping antenna to pick up and read patient information; a transmitting antenna to send disruptive instructions to the ICD; an oscilloscope to visualize and record signals sent to and from the device; and a universal software radio peripheral (USRP), a device that allowed them to create a software radio on their computer.
"Our results show that wireless transmissions disclose private data," they wrote, including a patient's name, birth date, medical history and ID number as well as the treating physician's name and contact information, and the ICD model and serial number. (All of this information was created specifically for the research project—no actual patient data was used.)
See what we're tweeting about
4 Comments
Add CommentMaking public such a potential flaw is irresponsible. Work on solutions ...don't provoke malicious people with a new challenges.
Reply | Report Abuse | Link to thisBalancing security and privacy with safety and efficacy will become increasingly important as implanted medical device technologies evolve.
Reply | Report Abuse | Link to thisRemoted-control is a potential danger some of the cases of which patients with the mentioned devices should be harmed by a malicious security attack.
It would also be extremely easy to set up special encryption so that the devices could only be accessed by authorized devices and authorized users, and had extremely limited range. Adjustable shunts (for example) are only adjustable at extremely close range, and the adjustments made would never be lethal, only problematic if done incorrectly.
Reply | Report Abuse | Link to thisCurrently anyone with a medical implant faces more problems from a microwave oven than any 'malicious hacker'.
It would be extremely easy to hack a special encryption to for a hacker psycho enough to do this. Also making this public... ha ha. This is old news to any hacker. Do u really think they never would of thought of this on their own. Its a scary world out there. Just hope no one would do it, bc its entirely possible (as the research shows)
Reply | Report Abuse | Link to this