Study: Pacemakers Could Be Hacked

A Harvard Medical School (HMS) study released last week shows that Implantable Medical Devices (IMD), such as pacemakers, could be high-risk targets for hackers.

Researchers from the University of Massachusetts, University of Washington, Beth-Israel Deaconess Hospital, and Harvard Medical School found that hackers could intercept patient information and reprogram the device, potentially endangering the patient by sending additional electrical signals to the heart.

The researchers presented their findings last Wednesday, in anticipation of the publication of their paper, “Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses.”

The study focused on the Medtronic Maximo, an IMD with wireless capabilities. These typically work over short distances and allow physicians to monitor the patients.

“The wireless features of these devices are safety features. They provide the ability for the device to remotely communicate with a bedside monitor, for example, to report abnormalities with device performance,” said HMS professor William H. Maisel, one of the study’s authors.

The researchers cautioned, though, that there have been no reported cases of a pacemaker being hacked and a patient’s health being jeopardized. But Maisel said this should not lessen the need for security features in the development of such products.

A press release by Medtronic, the company that manufactures the Maximo, said they look forward to examining the relevant security issues with researchers and regulators. They also said that newer devices with wider transmission ranges were equipped with safety features incorporated.

The study’s authors warned that patients should not be overly alarmed by the findings since the benefits still outweigh the risk.

“The wireless technologies are important features,” Maisel said. “If I were to have a device implanted, I would ask for one that has wireless capabilities.”

The researchers do not provide specific details of how a hacker could attack an IMD to prevent their findings from “being used for anything other than improving patient security and privacy.”

The authors will present their findings in May at the institute of Electrical and Electronic Engineers Symposium on Security and Privacy in Oakland, Calif.