Pacemakers Vulnerable To Hacking - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Business & Finance
05:17 PM
Connect Directly

Pacemakers Vulnerable To Hacking

Three medical schools demonstrate the wireless dangers that can disturb an implantable cardioverter defibrillator like the Medtronic Maximo DR.

Implantable medical devices like pacemakers seem secure, buried within one's body. But a team of researchers have demonstrated that's not the case.

In a newly published academic paper, computer scientists from the Beth Israel Deaconess Medical Center, Harvard Medical School, the University of Massachusetts Amherst, and the University of Washington have shown that a combination pacemaker and defibrillator with wireless capabilities, the Medtronic Maximo DR, can be hacked.

"Our investigation shows that an implantable cardioverter defibrillator (1) is potentially susceptible to malicious attacks that violate the privacy of patient information and medical telemetry, and (2) may experience malicious alteration to the integrity of information or state, including patient data and therapy settings for when and how shocks are administered," the paper states.

Such a shock could induce ventricular fibrillation, which is potentially lethal.

Several million pacemakers and defibrillators have been implanted in patients in the United States.

The paper, "Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses," is scheduled to appear in May, as part of the proceedings of the 2008 IEEE Symposium on Security and Privacy. It was co-authored by Daniel Halperin, Thomas S. Heydt-Benjamin, Benjamin Ransford, Shane S. Clark, Benessa Defend, Will Morgan, Kevin Fu, Tadayoshi Kohno, and William H. Maisel.

The researchers say they believe that their attempts to reverse-engineer the communications going to and from the Medtronic implantable cardioverter defibrillator represent the first use of software defined radios in the security community for reverse engineering wireless protocols. The group used the GNU Radio software toolkit to create a radio receiver capable of processing radio waves as defined by software.

In publishing the findings, the researchers are not suggesting that heart patients face significant imminent risk from hackers. They say in a statement published on the research group's Web site,, that their findings should not deter patients from accepting these devices if deemed appropriate by a physician.

"We believe that the risk to patients is low and that patients should not be alarmed," the researchers say. "We do not know of a single case where an IMD [implantable medical device] patient has ever been harmed by a malicious security attack. To carry out the attacks we discuss in our paper would require: malicious intent, technical sophistication, and the ability to place electronic equipment close to the patient. Our goal in performing this study is to improve the security, privacy, safety, and effectiveness of future IMDs."

Clearly, medical device makers have room for improvement. In his blog post about the findings, security expert Bruce Schneier said, "Of course, we all know how this happened. It's a story we've seen a zillion times before: The designers didn't think about security, so the design wasn't secure."

In an e-mailed statement, Medronic said, wireless security issues have been known for 30 years and that Medronic pays close attention such issues. The company said it welcomed the opportunity to address security concerns with regulators and researchers, but noted that "such dialogue must be accurate, balanced and responsible."

"While all implanted devices must use wireless telemetry for programming -- typically in very close range (several inches to several feet) -- the risk of any deliberate, malicious, or unauthorized manipulation of a device is extremely low," Medtronic said. "In fact, to our knowledge there has not been a single reported incident of such an event in more than 30 years of device telemetry use, which includes millions of implants worldwide."

Nonetheless, Medtronic said the technology in these devices continues to improve and that the company will continue to incorporate security measures to protect patient safety.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2018 State of the Cloud
2018 State of the Cloud
Cloud adoption is growing, but how are organizations taking advantage of it? Interop ITX and InformationWeek surveyed technology decision-makers to find out, read this report to discover what they had to say!
9 Steps Toward Ethical AI
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/15/2019
How to Assess Digital Transformation Efforts
Lisa Morgan, Freelance Writer,  5/14/2019
Is AutoML the Answer to the Data Science Skills Shortage?
Guest Commentary, Guest Commentary,  5/10/2019
Register for InformationWeek Newsletters
Current Issue
A New World of IT Management in 2019
This IT Trend Report highlights how several years of developments in technology and business strategies have led to a subsequent wave of changes in the role of an IT organization, how CIOs and other IT leaders approach management, in addition to the jobs of many IT professionals up and down the org chart.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll