Capital Gazette wins special Pulitzer Prize citation for coverage of newsroom shooting that killed five

How secure are pacemakers?

The Baltimore Sun

It's not something your doctors want you to worry about. Really.

Still, it's unsettling: With enough time, energy and expertise, a pacemaker can be hacked.

Implanted devices that keep ailing hearts beating steadily need better protection, the team that hacked into one is telling regulators and manufacturers.

"This is not an important risk for patients right now," said Dr. William Maisel, a Harvard cardiologist who specializes in heart rhythms. "We just want the industry to be thoughtful about where we as a society are going with these devices."

Maisel worked with computer experts from University of Massachusetts, Amherst and the University of Washington to demonstrate that an implantable defibrillator could be altered remotely to deliver a dangerous shock, or withhold a potentially lifesaving one.

The group presented its findings May 19 in Oakland, Calif., at a symposium on security and privacy being put on by IEEE, a technology association.

It's a timely subject. The electronic gear that can be put inside the human body is becoming more versatile and easier to operate from afar. Pacemakers can send signals to bedside monitors that then send data to doctors. Some devices can be quickly detected and reprogrammed in an emergency room, potentially saving an unconscious patient's life.

Along with pacemakers, implanted since the 1960s to generate electrical pulses that regulate heartbeats, newer devices include defibrillators that can reset a dangerously fluttering heart, nerve stimulators for pain control and deep brain stimulators to treat some movement disorders. All are inserted surgically, but can later be reprogrammed from outside the body. That adjusting usually happens in a doctor's office or hospital.

Yet some "remarkable" changes are on the horizon, said Dr. Larry Wolff, a University of California Davis Medical School professor who specializes in implanting defibrillators. "I believe over time we could make programming changes on the telephone," he said, although that's not possible now.

There is no known case of malicious tampering with a device inside someone's body.

The Medical Device Security Center, a collaboration of researchers from three universities, tinkered with one on a lab table, after buying $30,000 worth of commercially available equipment to assist the hacking.

Researchers ran tests that deduced how a particular defibrillator worked. They used that information to alter it from less than an inch away. Potentially, they said, an attacker could disrupt heartbeats, dangerously drain a battery or even extract private medical information.

"We know that a doctor is capable of doing this," said Kevin Fu, a computer science professor at Amherst. "Experts like ourselves know how to do it. The question is, what's the lowest bar?"

Dr. David Steinhaus, medical director for the cardiac rhythm disease branch of Medtronic, a leading implant maker, said his company's engineers are looking hard at security issues, but there's a trade-off.

"These are lifesaving devices" that must be quickly and easily accessed in emergencies, he said. "Anything I do to make it more secure, makes it less usable."

Copyright © 2019, The Baltimore Sun, a Baltimore Sun Media Group publication | Place an Ad