Hacking Latest Safety Worry Surrounding Implantable DefibrillatorsMar 12, 2008 | Parker Waichman LLP
A new type of implantable defibrillator could become the latest target of computer hackers. In recent years, over 100,000 patients in the US have been implanted with a defibrillator device that has helped to reduce medical visits. The device and its technology enable patient information to be sent to a bedside monitor that then sends the data to a doctor. Transmissions generally occur once daily. Now, this relatively common defibrillator monitoring technology appears to be vulnerable to hacking and—worse—reprogramming that could stop the defibrillators from providing a lifesaving shock, according to research being released today.
Defibrillator transmissions sent to the bedside monitor are not encrypted, meaning that someone intercepting transmissions could retrieve data such as a patient's birth date, medical ID, and Social Security number. Researchers are concerned that as this technology is used in more devices—pacemakers, spinal cord stimulators, and hearing implants—and as radio ranges increase, patients’ data will be at greater risk. "There will be more implanted devices and more wireless capabilities and transmissions over greater distances," said Dr. William Maisel, a study authors and Harvard-affiliated director of the Medical Device Safety Institute at Beth Israel Deaconess Medical Center in Boston.
Food and Drug Administration spokeswoman, Peper Long, said hackers could use special software and antennas to intercept defibrillator transmissions, but felt this sort of hacking and malicious reprogramming, was "remote." "The benefits clearly outweigh the risks," said Long.
Defibrillators use electrical shocks to restore a heart to a normal heartbeat when it detects arrhythmia or other abnormalities; the American Heart Association recommends stopped hearts be shocked within two minutes. Chief defibrillator makers are Medtronic Inc., Boston Scientific Corp., and St. Jude Medical Inc. Maisel's team studied Medtronic's Maximo defibrillator.
Bruce Lindsay, an electro physiologist at the Cleveland Clinic and president of the Heart Rhythm Society, said defibrillator transmissions are "not designed to withstand terrorist attacks. But I don't think the findings have any great clinical significance. To hack the system, you have to get the programmer right up against the patient's chest. It's not as if somebody could do this from down the street."
Medtronic spokesman Rob Clark said the risk of any "deliberate, malicious, or unauthorized manipulation of a device is extremely low." Clark said future versions capable of transmitting signals as far as 30 feet will have stronger security. Boston Scientific said its defibrillators "incorporate encryption and security technologies designed to mitigate these risks," including measures to prevent unauthorized reprogramming. St. Jude said, "As the study points out, the likelihood of unauthorized or illegal manipulation of an implantable device is extremely remote, and St. Jude Medical is not aware of such an event with our devices."
Future iterations will have stronger, improved technology. "Our issues are less with the current generation of devices than with where we see the industry going with implanted medical devices," said Maisel. Maisel’s and fellow author Tadayoshi Kohno’s—a University of Washington assistant professor who co-led a 2003 study that raised questions about the security of an electronic voting system—study will be presented and published May 19 at a conference of the Institute of Electrical and Electronic Engineers Symposium on Security and Privacy.