 "Photo: Ben Barnhart, University of Washington")
New advances for wireless implantable cardiac defibrillators and pacemakers have improved the odds of surviving a cardiac arrest, but the new devices may expose patients to privacy and security risks.
Because these medical devices are equipped with wireless technology, health care practitioners can diagnose patients, read and write private medical information and adjust the device's therapy settings remotely.
Although patients will no longer need repeated visits to their doctor, researchers at the University of Massachusetts and other institutions have established that there is a possibility the patient's private medical information could be extracted and their devices reprogrammed by remote hackers.
"In the lab, we had one of these ICD devices, and we were able to read private information and change the settings that control the shocks to the heart," said study participant and assistant professor of Computer Science, Kevin E. Fu.
There has never been a case of a hacker targeting an implantable cardiac defibrillator, but the researchers stressed the purpose of the study was designed solely to identify and prevent future risks to patients.
"We have found solutions to mitigate problems before the devices are able to receive signals from greater distances," Fu said.
As of now, the devices typically receive short-range signals over several feet. The study was headed by Tadayoshi Kohno of the University of Washington, Kevin E. Fu, assistant professor of computer science at UMass and cardiologist Dr. William H. Maisel of the Beth Israel Deaconess Medical Center and Harvard Medical School.
The researchers began with some ideas of how the ICD worked and where it was vulnerable.
"An implantable cardiac defibrillator is a pager-sized device that is implanted under the skin in the chest and is connected to the heart via wires, which monitor the heart rhythm," said Dr. William H. Maisel. "If the heart has a dangerously fast rhythm, the ICD automatically recognizes it and sends a therapy to the heart muscle."
According to Maisel, the genius of the device is in the speed in which it reacts.
"This happens in a matter of seconds," said Dr. Maisel.
To test their theories, the team mounted a series of attacks on the test ICD. Some steps required manipulation of the signals being sent between the commercial programmer, which is the manufacturers' medical device, and the ICD.
"The ICD didn't check to see if we were the commercial programmer or a hacker," said first year UMass graduate student and study author Ben Ransford. "We were able to record the signals and replay them back, which resulted in the ICD thinking we were the programmer."
Once this occurs, therapy settings stored in the ICD could be turned off and the patient's birth date and name read.
Three deterrence and prevention mechanisms, requiring zero battery power were developed by the researchers to combat these possible risks, including a notification device that audibly alerts patients of security breaches.
"The purpose of the audible alert is to work as a deterrent, something like a car alarm," said Fu.
The other two prototypes include a tool that authenticates requests for access and a vibrating device that a patient can sense.
The study team believes that more safety features will undoubtedly be added in the future, and the prevention mechanisms they developed will have a use as well.
"A lot of the defenses we described will work in the future, and it's amazing what we've accomplished without physically opening up the test ICD," said Ransford.
Adam Coulter can be reached at apcoulte@student.umass.edu
Be the first to comment on this article!