ICDs are remotely controlled over an encrypted wireless protocol. The devices are surgically implanted into a heart patient's chest and deliver appropriate therapy to fix abnormal heart rhythm.
The study, “Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses,” raises concerns over the risk of unauthorized and illegal remote manipulation of these devices. Also, the report warns vulnerabilities in these implants may allow hackers access to the private patient information stored on them.
“It's a wake-up call that security and privacy need to be part of the equation for the design of future medical devices, especially if those devices rely on wireless technology,” Kevin Fu, a researcher on the study and assistant professor at the University of Massachusetts Amherst, told SCMagazineUS.com on Thursday.
The study was done in a lab setting, using equipment such as a wireless radio and a computer. The researchers were able to access an ICD and read patient information, change therapy settings, and cause a defibrillator shock.
Fu admitted that the risks are minimal to heart patients.
“It took a fairly skilled team to make this work, and even then it only worked in a laboratory in a close setting,” he said.
A spokesman for Minneapolis-based Medtronic, maker of the ICD called Maximo, welcomed the opportunity to discuss security issues, said patients should not worry.
“The device industry has taken strong measures to ensure the safety of patients from both a data privacy standpoint and remote device setting manipulation,” spokesman Rob Clark said on Thursday. “Several safeguards are built into these devices to protect the devices from normal daily interference.”
Fu, however, said he thinks the results of this study will have an impact on the way security issues are approached by medical researchers in the future.
“If we can design security and privacy into the devices before it [vulnerabilities] becomes too pervasive, we'll have a safer and more effective system in the long run,” he said.