In a disturbing article in today's Boston Globe, it appears that there are large security gaps in "implanted devices that help regulate heartbeats and use wireless technology."
Dr. William H. Maisel, director of the Medical Device Safety Institute at Beth Israel Deaconess Medical Center, who led a research project into medical device security risks, says in the story:
"With some technical expertise, we were able to retrieve information from the device in an unauthorized fashion. We were able to send commands to the device in an unauthorized fashion and could reprogram settings and even tell the device to deliver a high-voltage shock."
Maisel goes on to say that patients with pacemakers and cardiac defibrillators that have wireless capability shouldn't be concerned because of the high level of technical skill needed to conduct such an attack.
Maisel suggests that device manufacturers and maybe regulators may need to consider adding an audible tone or a vibration that "could let a patient know whenever someone is communicating with an implanted heart device."
While the risk may be remote, I can see all sorts of new television murder mystery plots developing. A person wanting to bump off their spouse or relative who has a pacemaker hires some mysterious hacker to do the job, or a group of young people, fed up with seeing their Social Security and Medicare taxes going up or worried that there won't be any left for them as they grow older deciding to knock off seniors en mass by driving by nursing homes and fooling with implanted medical devices. Tech savvy lawyer, doctor, private investigator, neighbor sets out to solve the case, blah, blah, blah.
TV plots aside, I do wonder, though, how soon we'll see hackers in the near future offering software to destabilize medical devices for the right price.
Comments (1)
I resigned from Medtronic in protest over their sloppy regard for safety and the law. I worked on Medtronic's wireless telemetry and have a patent application on techniques to improve the security of medical implant communications. Communication to and from distance telemetry implants from Medtronic are not very secure (as compared to wireless internet security), but I'm more concerned about how the device went unstable in testing and other problems that could cause the device to malfunction and hurt someone without the need for a Lex Luther. The types of problems I witnessed with the Concerto implant caused circuit burnout problems in other circuits I have worked on. You do not want your implant to burn out, especially if you're pacemaker dependent. Medtronic put far less thought and effort into their wireless communication safety than a major cell phone manufacturer I've worked for and when problems cropped up they were ignored. For example, when the FCC rules were inconvenient for Medtronic, they decided to just violate FCC law or file fraudulent applications with the FCC for decades. I'm telling you this, but the evidence is unquestionable.
Posted by Chris Fuller | March 13, 2008 7:43 PM
Posted on March 13, 2008 19:43