Posted on 03/12/2008 2:46:48 PM PDT by kiriath_jearim
Medical devices such as pacemakers are vulnerable to attacks by hackers, who could gain access to a patient's private details or reprogram their device and put their health in jeopardy, a US study showed Wednesday.
A research team led by computer scientists Kevin Fu of the University of Massachusetts and Tadayoshi Kohno of the University of Washington, and cardiologist William Maisel of Harvard Medical School was able in lab tests to intercept signals sent from an implantable cardiac defibrillator (ICD).
"The device contained information like the patient's name, their therapy settings, their date of birth and some other information from their doctor," Fu told AFP.
"In addition, we were able to modify the settings on the device using an unauthorized machine we built. So, for instance, we could cause defibrillation shocks to not happen when they should and to happen when they shouldn't," he said.
Today's ICDs typically receive wireless signals over a small distance, but technology is expanding the range of the devices -- and creating greater potential for information to be intercepted.
The study stressed that there have been no reported cases of a patient with an ICD or pacemaker being targeted by hackers.
"The greater concern is about what's going to happen down the line as these devices become more sophisticated, as they embrace wireless technology and connect to the Internet, as they begin to hook up with other devices," said Fu.
"In the future, there may be a defibrillator that talks to a drug pump in your body," he said.
"We want to make sure that the community understands how security and privacy affect more traditional goals of safety and effectiveness as new technologies are being integrated into medical devices."
Maisel said that a key aim of the study was "to encourage the medical device industry to think more carefully about the security and privacy of patient information, particularly as wireless communication becomes more common."
"Fortunately, there are some safeguards already in place, but device manufacturers can do better," the cardiologist said in a statement.
Despite the security flaws shown up by the study, Fu stressed that the pros of being fitted with a pacemaker or ICD far outweigh the security- and privacy-related cons.
"When a doctor tells a patient they need one of these devices to live a normal and healthy life, they're much better and much safer having the device than not having it," he said.
He also said the likelihood of would-be assassins trying to get close to someone they know has a pacemaker or ICD to manipulate the device and kill the patient was very slim.
"That's a very creative idea but it's a little bit elaborate and it would be rather challenging to build a similar machine" to the one used in the study, he said.
In addition, the research team omitted details in their published paper "that prevent the findings from being used for anything other than improving patient security and privacy."
"Maybe the assassin scenario would make for a good spy novel, but there are much simpler ways to accomplish that sort of thing," Fu said.
The peer-reviewed report will be presented and published at the Institute of Electrical and Electronic Engineers Symposium on Security and Privacy in Oakland, California in May.
Not if they run under DOS and not Vista :)
Is murder by this method called “The Blue Face of Death”?
Hacking a pacemaker should be considered attempted murder and punished as such.
This is such a load of crap. Hard to believe anyone would write it. A pace maker has to have a wand placed over the patients device before a computer can be used to change anything. I can just see hackers trying to chase someone down in order to put the wand on them plus you have to know what type of pace maker someone has in order to have the correct software to use. The biggest thing though is that pace makers can’t be hacked into as you would a computer, this is, once again, such a load of crap.
I wish it were a load of crap... For over a decade I was was a technical fellow/senior staff scientist at the company in question. One of my responsibilities was systems engineering on the AICD and dual-chamber pacing products.
I’ve just no reviewed the full pre-print of “Pacemakers and Implantable Cardiac Defibrillators:Software Radio Attacks and Zero-Power Defenses” by Jalperin et al, available as a download at http://www.secure-medicine.org/
In Section IV (pages 8-10) authors claim they were able to maintain transmissions, and initiate triggered stimuli and reprogram parameters and change stored data with no magnetic field present.
It seems to me that our old safeguards for battery longevity and also for security have been negated...
I suspect the young engineers or outside consultants have lost track of the reasons why things were done, and are too lazy to use state diagrams to keep track of the firmware specifications.
I repeat, a load of crap.
You've obviously never conducted emissions and susceptibility testing on an implantable cardiac pacemaker or defibrillator.
A pace maker(sic) has to have a wand(sic) placed over the patients device before a computer can be used to change anything.
First of all, pacemaker is one word. Second, an electromagnetic coil is placed over the implantable device. The coil can either be integral to the programmer or external to the programmer. The reason why the coil is placed directly over the implanted device is because the radiated signal from both the programmer and the implanted device is relatively weak; moreso for the implanted device than the programmer. Therefore, in order to achieve the coupling required for successful interrogation/reprogramming/confirmation the two must be in close proximity to one another. However, if the programmer/interrogator has adequate radiated power the distance that reprogramming can occur from can be much greater.
The biggest thing though is that pace makers,(sic) can’t be hacked into as you would a computer
Guess again.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.