[ISN] Hackers may target pacemaker technology

[InfoSec News]

http://www.seacoastonline.com/news/02242005/news/66202.htm

[This is just pandering for the racy headline than anything else, when
you look at the steps to attack a pacemaker remotely, the physical
attack is way easier.  - WK]


By Joe Adler 
jadler at seacoastonline.com
February 24, 2005   

PORTSMOUTH - Although praised by doctors for their convenience, the 
emerging technology of remote-from-home defibrillators has caused some 
to fear that hackers could someday interfere with a patient's 
treatment for heart ailments. 

Defibrillators, also commonly known as pacemakers, can be half the 
size of a person's palm and fit tightly inside the chest wall. The 
device relays information to a physician about a patient's heart rate 
and rhythm, and can "shock" a heart back into rhythm when it suffers 
from fibrillation. 

As defibrillators become more common, and doctors attend to many more 
patients with the devices, ICDs (implantable 
cardioverter-defibrillators) are being tailored to relay information 
from outside the examination room, according to Dr. Mark Jacobs, a 
Portsmouth Regional Hospital cardiologist. 

The Food and Drug Administration has already approved - and medical 
technology companies are already marketing - equipment for the devices 
that can transmit a patient's heart-monitoring information, such as an 
electrocardiogram, through phone lines. A cardiologist can assess a 
patient's progress while the patient is miles away. 

"As the technology changes, more and more of this is being done at the 
home for patients with an inability to be transported," Jacobs said. 
"Some patients go to Florida, and they're living here only part time." 

With breakthroughs in defibrillator technology come security concerns. 
The remote relaying system - which allows patients to hold a wand 
above their chest and transmit information through an answering 
machine-sized contraption - is encrypted. But like any 
telecommunications, there is the small risk of a hacker obtaining 
sensitive information, Jacobs said. 

He added that, while the FDA has not approved it, technology now 
exists to allow physicians to program ICDs through the phone lines. 
Currently, heart disease patients have regular checkups to fine tune 
their defibrillators. 

"The devices aren't perfect. As people change medication, their 
defibrillators need to be adjusted, or a battery can start to be 
depleted," Jacobs said. 

"If it's approved that we are able to re-program the device over the 
phone, it's theoretically possible that someone could intercept that 
call and reprogram someone's device in an adverse fashion." 

Peter Gove, vice president for St. Jude Medical, which sells a home 
remote monitoring system for defibrillators, said the technology for 
remote reprogramming of the devices is a long a way off, but "moving 
in that direction." 

"(Patients) today typically visit their physicians on regular basis to 
have the device interrogated," Gove said. 

Gove added that St. Jude's product is careful not to transmit any 
personal information about patients. 

Despite the concern, Jacobs said the transmitters now on the market 
are a godsend for his patients with busy schedules, and they are 
equipped with encryption devices to protect their information. 

"They like it because it is very convenient," he said. "They don't 
have to interrupt their schedule. If they're having a problem, they 
can call up and it can be evaluated immediately. It saves them from 
not going to work for half a day."