Heart Monitors Can Be Hacked, Researchers Say

By Matthew Harwood

An American research team says the electronic information sent by defibrillators can be intercepted by hackers with nefarious possibilities but acknowledges there exists no evidence that this has occurred.

Defibrillators implanted in a patient's chest cavity monitor a patient's heart rate and emit a high-voltage electric shock to the heart when it slows.

New defibrillators can now send information via radio signals to a patient's bedside monitor, which is then relayed to doctors, usually once a day, says Researchers Dr. William Maisel of the Medical Device Safety Institute at Beth Israel Deaconess Medical Center in Boston and Tadayoshi Kohno, a University of Washington assistant professor, found that these radio transmissions were not encrypted and therefore suspectible to interception.

This would put patients' information and identity possibly at risk as well as the patients' names and medical ID numbers, the researchers write in their report, which will be presented and published May 19 at the Institute of Electrical and Electronic Engineers Symposium on Security and Privacy

But Maisel and Kohno also say the possibility exists that a hacker could turn off a patient's defibrillator and kill her.

As the U.K.'s reports:

The hack takes advantage of the fact the ICD possesses a radio which is designed to allow reprogramming by a hospital doctor .... The Security Center demonstrated the hack on an ICD made by Medtronic using a PC, radio hardware and an antenna. The ICD was not in a patient at the time. The research is detailed in a report released today.

The report reveals that a hacker could "render the ICD incapable of responding to dangerous cardiac events. A malicious person could also make the ICD deliver a shock that could induce ventricular fibrillation, a potentially lethal arrhythmia."

The Food and Drug Administration acknowledges that the possibility exists that a hacker could intercept the radio transmission but says the likelihood of this happening is "remote."

The authors agree, stating that the logistics and the cost of the attack make the possibility "low." For instance, an attacker would have to be close to his intended victim. Bruce Lindsay, an electrophysiologist at the Cleveland Clinic and president of the Heart Rhythm Society, told that "To hack the system, you have to get the programmer right up against the patient's chest. It's not as if somebody could do this from down the street."

Plus, the equipment needed to carry out the intrusion is pricey and sophisticated. The kit used in the experiment cost  Maisel and Kohno $30,000.

Nevertheless, the big three defibrillator manufacturers—Medtronic Inc., Boston Scientific Corp, and St. Jude Medical Inc.—said they are taking steps to mitigate the risk of unauthorized reprogramming and interception of information sent by their machines, reports 


View Recent News (by day)


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.