CD&D

As if we didn't already have enough privacy and security concerns to worry about, the medical device industry must add one more to the "not absolutely secure" list. A team of researchers has demonstrated that devices monitored by telemetry can be disrupted wirelessly – thus, essentially hackable.

The Medical Device Security Center (Washington) in early March issued a study, titled "Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses," proving this possibility, though under very lab-specialized, rather than every-day, circumstances. It was done at a very short distance from the device, just 2 cm, and required the use of $30,000 in high-tech equipment and an expert lab team.

Thus, the study suggests the likelihood that this isn't going to be a widespread problem, at least not immediately. And it may have sounded unnecessary alarms for patients, according to industry experts.

"If you've got the resources and expertise to do what they've done, it's possible – and we're not surprised on that level," Rob Clark, senior director, state government affairs for Medtronic (Minneapolis) told Cardiovascular Devices & Drugs Update, the company having a special concern for avoiding any widespread panic about this since one of its ICDs, a Maximo, that was used in the experiment.

The experimenters, Clark said, "demonstrated what is possible, but the probability is remote, and patients shouldn't be concerned."

The researchers used an antenna, radio hardware, and a PC to intercept wireless signals from the Maximo, and they suggested that similar technology could be used to access patient information, turn the device off, modify therapy settings or render it incapable of responding to dangerous cardiac events. A malicious person could also make the implant deliver a shock that could induce ventricular fibrillation, a potentially lethal arrhythmia.

One of the study's authors, Kevin Fu, PhD, assistant professor, Department of Computer Science, University of Massachusetts, told CD&D that the primary intention was not to sound alarms for patient with ICDs, "because patients are much better off with these devices. "It's more about the future, when newer devices come out," Fu said.

"We know the Internet is now plagued with viruses and spam and that wasn't always the case. In the beginning it was relatively calm. So we feel this is a wake-up call to avoid the same kinds of problems and to insure that future devices will be safe."

He said Medtronic's Maximo ICD was used simply because it was readily available and also very commonly used for patients.

"A fundamental challenge will be to develop methods that appropriately balance security and privacy with traditional goals such as safety and effectiveness. Our work provides a foundation for these explorations, on top of which we hope to see much subsequent innovation," the authors wrote.

"To our knowledge there has not been a single reported incident of such an event in more than 30 years of device telemetry use, which includes millions of implants worldwide," Clark said. "Going forward, industry is working to make sure security is built into these devices and as the wireless capabilities and the distance of telemetry extends, that security will go up accordingly."

Clark pointed out that the implants aren't beaming wireless signals all the time. When a physician accesses or alters an ICD program at a distance, it comes on and goes off briefly, so the chances that somebody could maliciously or even accidentally affect a pacemaker are even more remote.

"The device industry has taken strong measures to ensure the safety of patients from both a data privacy standpoint and remote device setting manipulation," Clark said. "For example, several safeguards are built into these devices to protect the devices from normal daily interference. They include electronic filters that distinguish between natural heart beat signals and interference signals."

Bruce Lindsasy, MD, president of the Heart Rhythm Society (HRS; Washington), also downplayed the report, saying that it had no clinical significance and that attention to it has been way overblown. "The industry has put huge efforts into developing devices as safely as they can," Lindsay told CD&D. "These devices have a remarkable track record for safety and effectiveness. The product recalls we've recently had show they are not perfect, but they have had a huge impact on saving lives," he said.

Lindsay said the study will be of interest to engineers, and it would be appropriate to include more protection in future designs, but that ICDs "were designed to save lives. They weren't designed to resist attacks ... It's not likely that a team of engineers will go running down the street to hurt somebody with an ICD."

He said that medical device makers should "take a look at this [report], but don't let it draw the focus away from the industry's fundamental mission."

Medical Device Security Center is a partnership between self-funded researchers at Beth Israel Deaconess Medical Center, Harvard Medical School, the University of Massachusetts Amherst, and the University of Washington.