Home Features Current Issue H&HN Daily Fiscal Fitness Video Podcasts Gatefold Issue Briefs Events Calendar Article Index Subscribe Online Store Advertise 2013 Media Guide(PDF) BPA Report(PDF) Classifieds About Us About H&HN About Health Forum Contact Us Staff List Email Us Article Reprints Editorial Guidelines RSS

| More

Researchers Hack Implantable Devices

By Douglas Page

Hospital executives urged to push device manufacturers to enhance product security

Kevin Fu hopes that he’s delivered a wake-up call to medical device manufacturers and other health care officials. Fu and colleagues at the University of Massachusetts Amherst, recently hacked their way into implantable medical devices, seizing private patient information, including name, disease diagnosis, birth date and medical record number.

Worse, the researchers were able to change the demographic data and also compromise patient safety by turning off settings stored in the device, rendering them unable to respond to cardiac events. Even more alarming, commands were then uploaded instructing the device to deliver an electric shock capable of inducing ventricular fibrillation, a potentially lethal arrhythmia.

It was all an experiment, but is the first known breach of wireless implantable medical devices, such as pacemakers and defibrillators. The study was designed to show how even clinical devices are vulnerable.

“There is no cause for concern for present devices,” Fu says. “As device manufacturers begin to embrace more sophisticated computer technology, security and privacy will play a larger role.”

Results of the research were presented in March at the Institute of Electrical and Electronic Engineers Symposium on Security and Privacy. The authors were careful to omit specific details from the paper that could be used for sinister purposes.

Still, the study raised a collective eyebrow among privacy advocates.

“People are running around with unsecured computers in their bodies,” says Pam Dixon, executive director of the World Privacy Forum. “Hospital CEOs need to push vendors harder on security. Device manufacturers need to understand that health care is not the retail sector.”

Device manufacturers also took notice. One, St. Jude Medical, maker of ICDs and pacemakers, intends to use the study as part of ongoing efforts to secure their devices, according to a company spokesperson.

The paper proposes several zero-power defenses that do not draw on device batteries. These include improving authentication from any external device attempting to communicate with an implantable unit; having the device alert patients whenever hacking is detected; and encrypting the data transmitted by the device.

The authors warn that while protecting wireless devices with a cryptographic key may provide added security, it could also inhibit emergency treatment if the key were unavailable. To view the study, go to www.secure-medicine.org.

---

GIVE US YOUR COMMENTS!

Hospitals & Health Networks welcomes your comments on this article. All comments will be reviewed by a moderator before being posted.

Please note: Your browser cookies must be enabled to leave comments and remember your login information. If you are having trouble posting a comment please enable your browser cookies or email us your comment at hhnmag@healthforum.com. comments powered by Disqus

---

Copyright ©2013 Health Forum. All rights reserved. H&HN is published by Health Forum, Inc. an American Hospital Association information company. Please report all website problems to webmaster@healthforum.com and circulation questions/requests to hhn@omeda.com. This website contains links to sites which are not owned or maintained by the American Hospital Association(AHA). The AHA is not responsible for the content of non-AHA linked sites, and the views expressed on non-AHA sites do not necessarily reflect the views of the American Hospital Association.