Researchers Hack Into Wireless Defibrillator—And Offer Security Solutions
It’s a terrifying thought—hackers using wireless technology to access your cardiac defibrillator or pacemaker. Would they steal your medical data? Change your settings?
Tell it to kill you?
“We hope our research is a wakeup call for the industry,” said Tadayoshi Kohno, an assistant professor of computer science and engineering at the University of Washington. He is a member of a team of researchers from the University of Washington, the University of Massachusetts at Amherst, and the Beth Israel Deaconess Medical Center at Harvard Medical School investigating the risks inherent in the greater use of wireless technologies in medical implants (see the figure).
Based on their studies, hackers can extract private information from these devices and reprogram them without the patients’ authorization and knowledge. Granted, such attacks require a high level of technical expertise, and there has never been a reported case of a patient with an implantable cardiac defibrillator or pacemaker targeted by hackers. Current devices also only provide short-range wireless access, though that could change as technology improves. But the researchers still say that medical device manufacturers need to take better care in their designs.
One of the purposes of this research is to encourage the medical device industry to think more carefully about the security and privacy of patient information, particularly as wireless communication becomes more common,” said William Maisel, a cardiologist with the Beth Israel Deaconess Medical Center. “Fortunately, safeguards are already in place, but device manufacturers can do better.”
The researchers suggest three simple prototype defenses that wouldn’t require any battery power to operate, nor any significant redesign to any implantable technologies. First, a notification deice could audibly alert patients to security-sensitive events. Next, another device could authenticate requests for access from outside devices. And third, a vibrating function in the implant could provide similar alerts.
“While there has been much research that explores the biological safety of implantable medical devices, there is limited understanding about the related issues of wireless security and privacy,” said Kevin Fu, an assistant professor of computer science at the University of Massachusetts at Amherst. “Understanding the security and privacy of implantable devices is essential for protecting the nation’s health and cyber infrastructure.”
Millions of cardiac defibrillators with wireless technology have been implanted worldwide. Doctors use these capabilities to diagnose patients, read and write private medical information, and adjust the device’s therapy settings all without resorting to invasive or exploratory surgery. The researchers selected a popular model and then used an inexpensive software radio to intercept and capture signals from the device. For example, they grabbed data about a hypothetical patient, including name, diagnosis, date of birth, and medical ID number.
Next, they were able to determine the defibrillator’s make and model, access real-time electrocardiogram results, and uncover data about heart rate and cardiac activity. The researchers followed with several attacks on the device, turning off its therapy settings and rendering it incapable of responding to cardiac events. They then told the device to deliver a shock that could have induced ventricular fibrillation, which could be lethal.
The researchers pointed out that they only studied one common model, so the risks to similar devices are uncertain. Also, they say that future studies are needed. Most importantly, they say that their results should not deter patients from using these lifesaving devices if their physician recommends them.
“In the 1970s, the Bionic Woman was a dream, but modern technology is making it a reality,” said Kohno. “People will have sophisticated computers with wireless capabilities in their bodies. Our goal is to make sure those devices are secure, private, safe, and effective.”
University of Washington
University of Massachusetts, Amherst
Beth Israel Deaconess Medical Center