Pacemakers Vulnerable To Hacking - InformationWeek
Business & Finance
05:17 PM
Connect Directly

Pacemakers Vulnerable To Hacking

Three medical schools demonstrate the wireless dangers that can disturb an implantable cardioverter defibrillator like the Medtronic Maximo DR.

Implantable medical devices like pacemakers seem secure, buried within one's body. But a team of researchers have demonstrated that's not the case.

In a newly published academic paper, computer scientists from the Beth Israel Deaconess Medical Center, Harvard Medical School, the University of Massachusetts Amherst, and the University of Washington have shown that a combination pacemaker and defibrillator with wireless capabilities, the Medtronic Maximo DR, can be hacked.

"Our investigation shows that an implantable cardioverter defibrillator (1) is potentially susceptible to malicious attacks that violate the privacy of patient information and medical telemetry, and (2) may experience malicious alteration to the integrity of information or state, including patient data and therapy settings for when and how shocks are administered," the paper states.

Such a shock could induce ventricular fibrillation, which is potentially lethal.

Several million pacemakers and defibrillators have been implanted in patients in the United States.

The paper, "Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses," is scheduled to appear in May, as part of the proceedings of the 2008 IEEE Symposium on Security and Privacy. It was co-authored by Daniel Halperin, Thomas S. Heydt-Benjamin, Benjamin Ransford, Shane S. Clark, Benessa Defend, Will Morgan, Kevin Fu, Tadayoshi Kohno, and William H. Maisel.

The researchers say they believe that their attempts to reverse-engineer the communications going to and from the Medtronic implantable cardioverter defibrillator represent the first use of software defined radios in the security community for reverse engineering wireless protocols. The group used the GNU Radio software toolkit to create a radio receiver capable of processing radio waves as defined by software.

In publishing the findings, the researchers are not suggesting that heart patients face significant imminent risk from hackers. They say in a statement published on the research group's Web site,, that their findings should not deter patients from accepting these devices if deemed appropriate by a physician.

"We believe that the risk to patients is low and that patients should not be alarmed," the researchers say. "We do not know of a single case where an IMD [implantable medical device] patient has ever been harmed by a malicious security attack. To carry out the attacks we discuss in our paper would require: malicious intent, technical sophistication, and the ability to place electronic equipment close to the patient. Our goal in performing this study is to improve the security, privacy, safety, and effectiveness of future IMDs."

Clearly, medical device makers have room for improvement. In his blog post about the findings, security expert Bruce Schneier said, "Of course, we all know how this happened. It's a story we've seen a zillion times before: The designers didn't think about security, so the design wasn't secure."

In an e-mailed statement, Medronic said, wireless security issues have been known for 30 years and that Medronic pays close attention such issues. The company said it welcomed the opportunity to address security concerns with regulators and researchers, but noted that "such dialogue must be accurate, balanced and responsible."

"While all implanted devices must use wireless telemetry for programming -- typically in very close range (several inches to several feet) -- the risk of any deliberate, malicious, or unauthorized manipulation of a device is extremely low," Medtronic said. "In fact, to our knowledge there has not been a single reported incident of such an event in more than 30 years of device telemetry use, which includes millions of implants worldwide."

Nonetheless, Medtronic said the technology in these devices continues to improve and that the company will continue to incorporate security measures to protect patient safety.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2018 State of the Cloud
2018 State of the Cloud
Cloud adoption is growing, but how are organizations taking advantage of it? Interop ITX and InformationWeek surveyed technology decision-makers to find out, read this report to discover what they had to say!
5 Data and AI Trends for 2019
Jessica Davis, Senior Editor, Enterprise Apps,  1/7/2019
Act Now to Reap Automation Benefits Later
Guest Commentary, Guest Commentary,  1/3/2019
Cloud Trends: Look Behind the Numbers
James M. Connolly, Executive Managing Editor, InformationWeekEditor in Chief,  12/31/2018
Register for InformationWeek Newsletters
Current Issue
Enterprise Software Options: Legacy vs. Cloud
InformationWeek's December Trend Report helps IT leaders rethink their enterprise software systems and consider whether cloud-based options like SaaS may better serve their needs.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll