Medical: Could implanted medical devices be hacked?
Researchers from the University of Washington and University of Massachusetts found in 2008 that they could tap into private data.
Scripps Howard News Service
By some industry estimates, within five years a third of Americans could be connected to an electronic medical device that operates with wireless technology.
Medical devices — such as pacemakers, insulin pumps and blood-glucose monitors — have been around for years, but scientific advances are raising worries about who can listen in.
The advantages of the devices leave them vulnerable to outside interference — a signal sent from the equipment could be intercepted or instructions to them could be blocked or altered.
Although there are no reports that anyone has used an implanted medical device to intentionally harm someone, there have been several experiments that demonstrated hacking into the gear is possible.
Researchers from the University of Massachusetts and the University of Washington reported in 2008 that they had been able to override the control mechanism of a pacemaker using a device that mimicked it.
They found they could tap into private data such as the identity of the patient, the doctor and the diagnosis as well as the actual instructions for the device, which normally administers small shocks to the heart to maintain a regular beat, but also can produce a fatal shock.
In early August, Jay Radcliffe, a computer-security expert from Idaho, demonstrated a radio device he built to attack a wireless insulin pump during a digital self-defense conference in Las Vegas.
An earlier paper presented at a health-information conference also discussed methods for hijacking an insulin pump and possible defenses.
But as much fun as it might be for fiction writers to spin cyberattacks against medical technology, it is important to note that the experimental assaults took months to develop and were launched just inches away from devices that were not actually implanted.
Even so, several scientists wrote a paper for The New England Journal of Medicine in April suggesting that regulators do a security assessment on all new wireless medical devices that perform life-or-death functions before approving them for human use.
"Although it is reassuring that there hasn't yet been a widespread breach of device security, examination of early Internet security incidents provide useful insights into potential risks from these devices," they wrote.
Scientists at several institutions already are working on countermeasures. One idea, presented by researchers from MIT and the University of Massachusetts at a conference in July, is to use a second transmitter, perhaps worn as a necklace or watch, to jam unauthorized signals that could attack the device.
Several innovations were suggested at the Computer-Human Interaction conference in Atlanta in April. Among them, a more secure insulin pump with fewer wireless connections designed by a researcher from Tennessee's Oak Ridge National Laboratory. Others proposed new encryption or passwords that could be accessed only by authorized medical personnel.
Manufacturers are working with the Food and Drug Administration, which regulates medical gear, and the Federal Communications Commission, which regulates radio frequencies, to assess threats and set standards to protect the devices from hacking.
After Radcliffe's disclosure about the insulin pump, Reps. Anna Eshoo, D-Calif., and Edward Markey, D-Mass., asked the Government Accountability Office, Congress' investigative arm, to evaluate efforts by the FCC and FDA to protect devices using wireless technologies.
(Contact Lee Bowman at Bowmanl@shns.com.)
The Morning Memo
The Morning Memo jump starts your day with weather, traffic and news
Homes -- New Home Showcase
Dive into history in Now & Then