According to researchers Tadayoshi Kohno, assistant professor of computer science and engineering at Washington University working with Kevin E Fu, assistant professor of computer science at UMass Amherst, and cardiologist William H Maisel MD, director of the Medical Device Safety Institute at Beth Israel Deaconess Medical Centre and Harvard Medical School, patients’ private medical data could be extracted and their devices reprogrammed without the patients’ authorisation or knowledge.
The study was designed to identify and prevent future problems, they emphasis; no case of a patient with an implantable cardiac defibrillator or pacemaker has been targeted by hackers. It was pointed out that the study required a high level of technical expertise, and the published paper omits certain method details to prevent the findings being adversely used. ‘One of the purposes of this research is to encourage the medical device industry to think more carefully about the security and privacy of patient information, particularly as wireless communication becomes more common. Dr Maisel explained: Fortunately, there are some safeguards already in place, but device manufacturers can do better.’
The team expects this issue to take on greater importance as implantable cardiac defibrillators operate wirelessly at greater distances. These devices typically receive short-range wireless signals over several feet, but new technologies are expanding that reach even farther, creating the potential for information to be intercepted en route. ‘We hope our research is a wake-up call for the industry,’ said Tadayoshi Kohno. ‘In the 1970s, the Bionic Woman was a dream, but modern technology is making it a reality. People will have sophisticated computers with wireless capabilities in their bodies. Our goal is to make sure those devices are secure, private, safe and effective.’
Kevin E Fu noted that the study developed three prototype defences that require no battery power, making them potentially easy to incorporate in the devices without extensive redesigning.
The researchers used an implantable cardiac defibrillator containing computers and radios that allow healthcare practitioners to diagnose patients, read and write private medical information and adjust the device’s therapy settings wirelessly. They also used an inexpensive software radio to intercept and capture signals sent from the implantable device. Accordingly, they obtained detailed information about a hypothetical patient, including name, diagnosis, date of birth and medical ID number. They also determined the device make and model, accessed real-time electrocardiogram results and data on heart rate and cardiac activity.
They then mounted several attacks — and could turn off the therapy settings stored in the implantable device, rendering it incapable of responding to dangerous cardiac events. Additional commands were delivered, resulting in the delivery of a shock that could induce ventricular fibrillation, a potentially lethal arrhythmia.
Because the team studied one common model of implantable cardiac defibrillator, the susceptibility of similar devices to privacy and security risks is uncertain. The team believes future studies are needed to assess potential risks associated with other implantable devices equipped with wireless technology. They also strongly advise that nothing in their report should deter patients from receiving such life-saving devices when medically recommended.
Their peer-reviewed report will be presented in May and published at the Institute of Electrical and Electronic Engineers Symposium on Security and Privacy in Oakland, California.