Heart defibrillator implants can be hacked-experts

By Maggie Fox, Health and Science Editor

WASHINGTON, March 12 (Reuters) - Implanted heart
defibrillators, which automatically shock a fluttering heart
back into a normal rhythm, can be hacked from the outside, U.S.
researchers reported on Wednesday.

There is no immediate danger to patients, the team of computer experts, electrical engineers and cardiologists
said.

But they made one Medtronic Inc device give up
patient information off its computer chip, got it to fire
improperly, and ran its battery down, all using inexpensive
equipment.

They offered a way to fix these weaknesses and said they
were publishing their findings not to frighten patients but to
inform the industry and regulators.

"I think patients with implantable defibrillators should
not be worried by this," Dr. William Maisel of the Beth Israel
Deaconess Medical Center and Harvard Medical School said in a
telephone interview.

"I think we would be doing them a disservice if this upsets
them. There has never been a documented malicious attack on
someone's implantable cardiac defibrillator."

Maisel said his team had contacted the U.S. Food and Drug
Administration because it could be an industry-wide problem.

Medtronic's Rob Clark said the company's devices had
carried such telemetry for 30 years with no reported problems.

"This is a very low-risk event for patients that have these
devices," Clark said in a telephone interview.

"The primary focus for us is on the safety and efficacy of
the device. A close second on that is security and privacy."

He said the company was aware of the risks and would take
them into account when designing products. "The technology in
these devices constantly evolves and improves, and we will
continue to incorporate measures to protect security and
patient information for these devices," Clark said.



9 Comments

Ummm

by kyle0816 - 2008-03-12 02:03:46

That's pretty disturbing.

Don't Worry, Be Happy!

by kmcgrath - 2008-03-12 03:03:09

FWIW, I just called my EP Doc's office & he told me there is a real low probability of anyone being able to hack in without having real close proximity to the ICD and the same equipment that they use to interrogate the device in his office.

He also told me that my recalled leads have a low risk of failing, so now I have two low probability things wrong with my device. I can't wait for the next "low risk" shoe to drop. :-(

Yikes!

by kmcgrath - 2008-03-12 03:03:18

First my leads get recalled and now this report. As a person who works in the cyber security field and who first saw this report on a cyber security mailing list that I monitor I am not a happy camper right now.

A link to the paper by these researchers can be found here:

http://www.secure-medicine.org/icd-study/icd-study.pdf

Link to NY Times article is below

by kmcgrath - 2008-03-12 04:03:34

Forgot to post this earlier:

http://www.nytimes.com/2008/03/12/business/12heart-web.html?_r=3&oref=sl&oref=slogin

Sounds like another hoax

by ElectricFrank - 2008-03-13 01:03:43

There is no way someone out of the country can hack your pacemaker without help from your doctor or EP. These reports are almost a weekly occurrence on the internet and the media loves to pick them up. To transmit data to your pacemaker a hacker would have to establish 2 way communication with it. It is possible to send data into the pacer with a powerful enough transmitting device, but it will be ignored unless a 2 way dialog establishes a valid ID. The problem is that the pacemaker signal is very weak and can only be picked up by a receiver right over it.

Some similar posts are:
Hacking into your refrigerator and spoiling all the food.
Hacking into your wrist watch and turning it into a microphone to spy on you.
Hacking your printer/copier to send copies of everything you print.

There is one that is possible that I haven't heard mentioned. Since the phone company can update the software in your cell phone over the air, They likely could turn on the camera or microphone, and monitor activities. This would be one of those govt spying things we have been hearing about.

So, never, ever, click on one of those internet links that says they will show you how to protect yourself. If you do you have just downloaded some bad stuff.

frank

Maybe took the wrong meaning?

by kmcgrath - 2008-03-13 04:03:09

>can be hacked from the outside, U.S.
>researchers reported on Wednesday.

The above means outside the body not outside the US.

If it was written "...can be hacked from outside the U.S., researchers reported..." that's a whole other meaning.

Not a Hoax, IMHO!

by kmcgrath - 2008-03-13 04:03:29

I'm about 1/2 way through reading the paper that you can read at the below site:

http://www.secure-medicine.org/icd-study/icd-study.pdf

and I see nothing so far to make me even think it's a hoax.

>>There is no way someone out of the country can hack >>your pacemaker

Where is this "out of the country" stuff coming from? What the study does state is that they only tested it from a range of 5 cm (~2"), but they imply that it might be possible from longer distances with a bit of experimentation.

BTW & IMHO, an article vetted & published in the NY Times is generally considered a good source of information.

Take a look at some of the other reports & who is reporting them:

http://www.google.com/news?sourceid=navclient-ff&rlz=1B3GGGL_enUS229US229&hl=en&ned=&q=hack+icd&ie=UTF-8&scoring=n

I will agree that there is a lot of garbage out on the Internet but this one looks very real to me unfortunately.

Cyber Secuirty Expert's Blog Comments

by kmcgrath - 2008-03-13 04:03:42

Bruce Schneier is a very well known expert in the field of security and security technology. I follow his blog on a regular basis and he is usually a voice of calm & reason on most security issues. His bottom line in the below blog entry:

"The general moral here: more and more, computer technology is becoming intimately embedded into our lives. And with each new application comes new security risks. And we have to take those risks seriously."

Link to full blog entry:

http://www.schneier.com/blog/archives/2008/03/hacking_medical_1.html

Another Hoax: Comments

by ElectricFrank - 2008-03-14 01:03:15

Thanks for the web site with the research. First off I want to acknowledge that the research paper is legitimate. The IEEE is a prestigious electronic organization. So ignore part of my comments above.
I intend to confirm some of the readings in the article when I have time. If the technical statements hold up I should be able to add the ability to read my own pacer. All I need to do is wrap a coil of wire near the head when I am doing a telephone check and intercept my readings. Interesting!
Now for a couple of limitations to the study.
1. They were making the measurements on the ICD when it is removed from the body. At this point the ICD would be in an emergency mode since it would not be sensing a heart beat. (Maybe I can download the manual for the model of ICD they used.) Since it wasn't putting out repeated defib pulses in response to the "cardiac arrest" it must have been in some unusual mode.
2. It was shown that the pacer would respond to "blind" transmissions which if coming from a powerful transmitter could span longer distances, there is no way to increase the power of the ICD transmitter so its signals likely are only good over a few centimeters.
3. If the transmissions were encrypted as they suggest there would have to be some way for a legitimate doctor to get the password anywhere in the world. How would it be to need emergency reprogramming or shut down of a pacer or ICD in some remote hospital, but need a password to do it.

interesting!

frank

You know you're wired when...

You have rhythm.

Member Quotes

We are ALIVE! How wonderful is modern medicine.