The heart pacemakers at risk from hackers
Sound far-fetched? Security experts are treating it deadly seriously
Pacemakers have been saving lives for more than half a century, offering peace of mind to millions of patients. small, smart and unobtrusive, today’s models can transmit a constant stream of information about a patient’s heart to their doctor, allowing problems to be tackled before they get out of hand.
They can even be reprogrammed remotely while still in the patient’s chest — usually by technicians working a few metres away in the operating theatre.
But could pacemakers and other smart medical technology be getting too smart for our own good?
Like many of today’s sophisticated medical devices, such as insulin pumps that are implanted in patients or hospital medication systems that administer drugs via drips, pacemakers are becoming part of the ‘internet of things’; connected to networks for the benefit of patients, doctors and hospitals alike.
But experts are now warning this interconnectivity is an achilles’ heel that could expose thousands of vulnerable patients to a terrorist attack for the digital age.
This is not science fiction; in experiments, pacemakers and other devices have already been hacked, raising concerns that fatal electric shocks or drug doses could be administered, either to targeted individuals or groups of people fitted with the same device.
Last month, academics warned that increasing connectivity to computer networks ‘has exposed medical devices to cybersecurity vulnerabilities’.
Worryingly, healthcare organisations and medical device regulatory bodies were not ready to deal with the risk, wrote experts from the eHealth research Group and security research Institute in australia.
and until they were, it concluded ominously, ‘patient safety is under threat’.
In the Uk, there are hundreds of thousands of people walking around with pacemakers, which help damaged hearts to maintain an even rhythm, or IcDs — implantable cardioverter defibrillators — that can shock a heart back to life.
Last year alone, almost 35,000 patients had a pacemaker fitted and 4,000 were given an IcD.
But does that mean they all can soon expect to find themselves on the frontline of a frightening new form of warfare? That depends on whom you ask.
No, says medtronic, one of the big three international makers of pacemakers, whose products are widely used here. ‘The likelihood of a malicious security breach of a patient’s device is low,’ a spokesman said.
BUT former U.s. Vice President and long-term heart patient, Dick cheney would give you a different answer. In the tenth episode of the second season of the TV series Homeland, broadcast in 2012, the fictional vice president is assassinated by terrorists who hack into his wireless-enabled IcD to give him a fatal heart attack.
The plot was not an exercise in dramatic licence. cheney’s cardiologist revealed that in 2007, he’d asked medtronic to disable the wireless function of his VIP patient’s implanted heart device.
Why? Because of fears that ‘ a sophisticated attacker might wirelessly access the device, reprogram it, and . . . kill the Vice President’.
The Homeland episode was inspired by the work of kevin Fu, a professor in electrical engineering and computer science at the University of michigan. In 2008, Professor Fu and colleagues demonstrated it was possible to hack into an implantable heart defibrillator and deliver a fatal shock.
What’s more, the hacking device could be made as small as a mobile phone, and used to attack people with pacemakers and defibrillators in crowded places. That raises the prospect of a targeted attack in a public place on a politician known to be fitted with a heart device — or random attacks on any pacemaker patients who happen to be in the wrong place at the wrong time. and, when connected to hospital networks, such devices could also be as vulnerable as ordinary computers to viruses being embedded in their software by hackers.
Today, Professor Fu and the university’s research center for medical Device security work with manufacturers, including medtronic, to improve the safety of wireless devices.
many makers, Professor Fu told us, had woken up to the danger and ‘ started security engineering programmes within their companies’. But ‘while these early adop- ters are making great strides, many manufacturers are still playing catch up’ — and a small minority were ‘ignoring or downplaying the security risks’, he says.
The U.s. authorities are certainly taking the problem seriously. In June 2013, the Food and Drug administration (FDa) urged all hospitals and manufacturers to ‘take steps . . . to reduce the risk of failure due to cyber attack’.
Last October, the Department of Homeland security revealed it was investigating suspected cybersecurity flaws in ‘about two dozen medical devices . . . that officials fear could be exploited by hackers’. In a watershed moment, in march, Homeland security’s Industrial control systems cyber emergency response Team, working with the FDa, issued an historic first ever cybersecurity alert for a medical device.
an ‘independent researcher’ had identified four vulnerabilities in medNet, a widely used computer system designed automatically to manage the delivery of drugs directly into the veins of hospital patients. ‘an attacker with a low skill could exploit software vulnerabilities in the system and interfere with patients’ doses,’ it warned.
Hospira, the U.s.-based manufacturer, quickly released a new version of the software, but in the following months new cybersecurity warnings were issued about a series of computerised drug-delivery pumps made by the company. a spokes- man for Hospira told us there had been ‘ no known . . . breaches in a clinical setting of Hospira infusion pumps to date’.
so-called ‘white hat’ hackers — benevolent hackers who search for security weaknesses to let companies know about them — have been warning for years that smart medical devices are a disaster waiting to happen, and have carried out demonstration hacks of life- ordeath devices, including portable insulin pumps and pacemakers.
But none of this appears to be on the radar in Britain.
No guidance or warnings on the subject of cybersecurity have been issued to users or manufacturers of wireless medical devices by the Department of Health, the NHs or the medicines and Healthcare regulatory agency (mHra) — the FDa’s opposite number in the Uk.
The Department of Health told us ‘the mHra is leading on this’. meanwhile the mHra said it was ‘aware of the potential for cybersecurity attacks towards medical devices and continued to monitor the situation’.
compare that passive approach with guidance in may from the FDa warning makers of networked medical devices to beware ‘cybersecurity vulnerabilities [that] open the door to unwanted software changes’.
AND in contrast to the major ongoing investigation into the cyber threat to medical devices by the U.s. Department of Homeland security, a spokesman for the Uk’s National counter Terrorism Policing HQ said the issue ‘doesn’t sit’ with them, ‘but with cerT’ — the National computer emergency response Team.
a cerT spokesman told us it is ‘aware of this potential issue’ and it continues ‘to monitor’ it.
cardiologists appear relaxed about the threat. richard schilling, professor of cardiology and commercial director at the Bart’s Heart centre, London, says ‘the potential downsides are so small it would seem excessive to raise the prices of the devices, depriving some patients of their benefits, because of what I think is an unreasonable fear’.
Likewise Trudie Lobban, founder of the arrhythmia alliance, a coalition of charities, patient groups and cardiology professionals, said although they were now becoming ‘increasingly sophisticated, the development of these devices and the regulatory approval required takes years’ and patients ‘can be reassured they are not at risk’.
and yet even medtronic, one of the most security- conscious companies in the field, concedes that hacking its pacemakers, while difficult, is nevertheless possible.
It continuously makes ‘ security improvements and design changes to products and works with security researchers and experts, including Professor Fu’. Furthermore, its spokesman said some of its devices used ‘proximity communications’, which meant that ‘ someone attempting to manipulate a device would need to be in very close physical proximity to the patient’.
Other wireless heart devices, says medtronic, are equipped for ‘communication from a longer distance’. Here the ‘communication’ mode has to be switched on for the hack to happen. In other words, ‘an attacker would need to be constantly attentive to when a device might be enabled, which is unlikely’.
But, as the Vice President of the U.s. feared, not impossible.
after chrysler recalled 1.4 million Jeep Grand cherokees in July following the discovery that the vehicles could be wirelessly hacked, Professor Fu commented that for years he’d been ‘wondering which would happen first’ — a cybersecurity recall of a medical device or a car’.
‘The medical device community should consider itself lucky that the automotive community has earned the dubious honour of having the first cybersecurity-only recall,’ he wrote. But it was ‘just a matter of time before some medical device company will receive a painful, latenight phone call’.