Business & Finance
News
3/12/2008
05:17 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Pacemakers Vulnerable To Hacking

Three medical schools demonstrate the wireless dangers that can disturb an implantable cardioverter defibrillator like the Medtronic Maximo DR.

Implantable medical devices like pacemakers seem secure, buried within one's body. But a team of researchers have demonstrated that's not the case.

In a newly published academic paper, computer scientists from the Beth Israel Deaconess Medical Center, Harvard Medical School, the University of Massachusetts Amherst, and the University of Washington have shown that a combination pacemaker and defibrillator with wireless capabilities, the Medtronic Maximo DR, can be hacked.

"Our investigation shows that an implantable cardioverter defibrillator (1) is potentially susceptible to malicious attacks that violate the privacy of patient information and medical telemetry, and (2) may experience malicious alteration to the integrity of information or state, including patient data and therapy settings for when and how shocks are administered," the paper states.

Such a shock could induce ventricular fibrillation, which is potentially lethal.

Several million pacemakers and defibrillators have been implanted in patients in the United States.

The paper, "Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses," is scheduled to appear in May, as part of the proceedings of the 2008 IEEE Symposium on Security and Privacy. It was co-authored by Daniel Halperin, Thomas S. Heydt-Benjamin, Benjamin Ransford, Shane S. Clark, Benessa Defend, Will Morgan, Kevin Fu, Tadayoshi Kohno, and William H. Maisel.

The researchers say they believe that their attempts to reverse-engineer the communications going to and from the Medtronic implantable cardioverter defibrillator represent the first use of software defined radios in the security community for reverse engineering wireless protocols. The group used the GNU Radio software toolkit to create a radio receiver capable of processing radio waves as defined by software.

In publishing the findings, the researchers are not suggesting that heart patients face significant imminent risk from hackers. They say in a statement published on the research group's Web site, secure-medicine.org, that their findings should not deter patients from accepting these devices if deemed appropriate by a physician.

"We believe that the risk to patients is low and that patients should not be alarmed," the researchers say. "We do not know of a single case where an IMD [implantable medical device] patient has ever been harmed by a malicious security attack. To carry out the attacks we discuss in our paper would require: malicious intent, technical sophistication, and the ability to place electronic equipment close to the patient. Our goal in performing this study is to improve the security, privacy, safety, and effectiveness of future IMDs."

Clearly, medical device makers have room for improvement. In his blog post about the findings, security expert Bruce Schneier said, "Of course, we all know how this happened. It's a story we've seen a zillion times before: The designers didn't think about security, so the design wasn't secure."

In an e-mailed statement, Medronic said, wireless security issues have been known for 30 years and that Medronic pays close attention such issues. The company said it welcomed the opportunity to address security concerns with regulators and researchers, but noted that "such dialogue must be accurate, balanced and responsible."

"While all implanted devices must use wireless telemetry for programming -- typically in very close range (several inches to several feet) -- the risk of any deliberate, malicious, or unauthorized manipulation of a device is extremely low," Medtronic said. "In fact, to our knowledge there has not been a single reported incident of such an event in more than 30 years of device telemetry use, which includes millions of implants worldwide."

Nonetheless, Medtronic said the technology in these devices continues to improve and that the company will continue to incorporate security measures to protect patient safety.

Comment  | 
Print  | 
More Insights
IT's Reputation: What the Data Says
IT's Reputation: What the Data Says
InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.