Security Experts: Hackers Could Target Pacemakers

April 1, 2010— -- People these days may fear hackers are eyeing their home computers, their work computers or even the computers in their phones.

But computer security experts are worried about hackers who might one day go after computers in people's bodies. After all, medical devices designed to deliver medicine or help heart conditions are so high tech that experts consider them small computers with wireless capabilities that can run software.

"I think the risk to patients today is extremely low," said Dr. Tadayoshi Kohno, co-author of an article about the security of implantable devices published Wednesday in the New England Journal of Medicine.

"I would have no qualms about getting one of the devices on the market now if I needed them," Kohno said. "I think it's preparing for the unexpected [that matters]. ... The last thing we want is, in five or 10 years, to think, 'Oops we should have thought about security.'"

One such implantable device is an implantable cardioverter defibrillator, or ICD. More than 135,000 patients receive these defibrillators each year to prevent sudden heart attacks.

Doctors now can program ICDs to monitor someone's heart condition and send the right level of electrical shock to get the heart beating properly or deliver data about that person's heart rhythms to a doctor. But recently researchers have been able to demonstrate how a malicious hacker could potentially trigger the device to malfunction, delivering a dangerous shock.

What's more, people with ICDs often are public about them. Former Vice President Dick Cheney is one example of a high-profile American with a device.

Kohno and co-author Dr. William Maisel of the Cardiovascular Institute of Beth Israel Deaconess Medical Center in Boston have called for the U.S. Food and Drug administration regulate and to work with medical device manufacturers to stop potential security breaches in a variety of wireless, implantable devices such as pacemakers or insulin pumps.

The worry, according to Kohno, is of potential security leaks in an ever increasing network of wireless computers around us -- especially in devices most people don't think of as computers.

"We're seeing computers in our picture frames in our walls," Kohno said. "We're seeing computers in our cars. We are seeing computers in our bodies.

"As computers start surrounding us they start talking to each other," said Kohno, referring to wireless communication.

Hackers Can Get Into Cars, Too

The implications can be unexpected.

Take the case of a Texas man who police say used the Internet to remotely disable ignitions and set off car horns of more than 100 vehicles sold at his former workplace. The hack took advantage of a software program that is meant to aid repo services trying to retrieve cars.

"This is another example of how computers are everywhere, and we want to think about security beforehand rather than after," said Kohno. "When the Internet was designed, people didn't think about security, either, and when things happened it was, 'Oh, no,' and a struggle to catch-up."

Kohno and colleagues demonstrated several years ago how a hacker could send a dangerous jolt to a patient with an ICD if he or she got in range of the ICD's wireless signal -- which currently is limited to a single room.

Dan Kaminsky, director of penetration testing for IOActives, a Seattle based security company, agreed that the threat should not scare heart patients right now.

"Within wireless distance of you, the number of attackers is necessarily pretty small," Kaminsky said. "It's not to say the devices can't be attacked. They can be. ... It is something for the implant device [user] to think about it."

Kaminsky said he would be more concerned about monitors -- such as heart monitors -- in hospitals. Security experts found that the conficker worm that struck in March 2009 infected life-saving machines in hospitals, according to Kaminsky.

But, "in general, the most likely attacks against the medical system are that you always have to follow the money, or are going to be disclosures of medical information," said Kaminsky.

Having software vulnerable to attacks is not unique to manufacturers of medical devices, Kaminsky said adding that software engineers often focus on quality or speed rather than security.

"There's a lot of coming to terms with this new engineering requirement of security, just as power people had to come to terms with being green [energy efficient]," said Kaminsky.

Security in Medical Devices May Change

Indeed, the FDA already has issued guidance drafts regarding cyber security, according to FDA spokeswoman Peper Long.

The FDA has not heard reports of malicious attacks on pacemakers, ICDs or insulin pumps, Long said.

"We haven't seen adverse events data that indicate that this is happening on a widespread basis," she said. But, "we certainly share the concern about device privacy and security."

Medtronic, a major manufacturer of ICDs, said in a statement that the company "believes[s] the risk of deliberate, malicious, or unauthorized manipulation of an implantable device is extremely low."

"In fact, to our knowledge, there has never been a single reported incident of such an event outside of controlled laboratory experiments in more than 30 years of device telemetry use, which includes millions of implants worldwide," the statement said.

Still, the company said it would "welcome the opportunity to work with the FDA, health care practitioners, and other medical device manufacturers to define and establish formal device security guidelines."

The Advanced Medical Technology Association put out a similar prepared statement in response to the New England Journal of Medicine article.

"Medical device manufacturers are committed to patient safety and take seriously any threats to patient care and privacy no matter how remote or unlikely the scenario," said Janet Trunzo, executive vice president of technology and regulatory affairs for the association, in the group's statement.

Still, computer security experts say most software engineers need to think ahead before designing a device and to think critically about the risk and probability of an attack, rather than to dwell on the track records of the past.

"Most of the security researchers agree that security cannot be added on," said Mustaque Ahamad, director of the Georgia Tech Information Security Center in Atlanta.

Ahamad said most parties involved -- from doctors to the FDA and manufacturers -- will have to work together to determine a level of security. Moreover, every extra measure of security will add cost to the life-saving device.

"In security, we have something called threat modeling," Ahamad said. "There is always a sort of debate about what is a real threat and what is possible. But the risk is so low that we're not going to worry about it."