[ISN] Hackers may target pacemaker technology
InfoSec News
isn at c4i.org
Mon Feb 28 05:37:58 EST 2005
http://www.seacoastonline.com/news/02242005/news/66202.htm
[This is just pandering for the racy headline than anything else, when
you look at the steps to attack a pacemaker remotely, the physical
attack is way easier. - WK]
By Joe Adler
jadler at seacoastonline.com
February 24, 2005
PORTSMOUTH - Although praised by doctors for their convenience, the
emerging technology of remote-from-home defibrillators has caused some
to fear that hackers could someday interfere with a patient's
treatment for heart ailments.
Defibrillators, also commonly known as pacemakers, can be half the
size of a person's palm and fit tightly inside the chest wall. The
device relays information to a physician about a patient's heart rate
and rhythm, and can "shock" a heart back into rhythm when it suffers
from fibrillation.
As defibrillators become more common, and doctors attend to many more
patients with the devices, ICDs (implantable
cardioverter-defibrillators) are being tailored to relay information
from outside the examination room, according to Dr. Mark Jacobs, a
Portsmouth Regional Hospital cardiologist.
The Food and Drug Administration has already approved - and medical
technology companies are already marketing - equipment for the devices
that can transmit a patient's heart-monitoring information, such as an
electrocardiogram, through phone lines. A cardiologist can assess a
patient's progress while the patient is miles away.
"As the technology changes, more and more of this is being done at the
home for patients with an inability to be transported," Jacobs said.
"Some patients go to Florida, and they're living here only part time."
With breakthroughs in defibrillator technology come security concerns.
The remote relaying system - which allows patients to hold a wand
above their chest and transmit information through an answering
machine-sized contraption - is encrypted. But like any
telecommunications, there is the small risk of a hacker obtaining
sensitive information, Jacobs said.
He added that, while the FDA has not approved it, technology now
exists to allow physicians to program ICDs through the phone lines.
Currently, heart disease patients have regular checkups to fine tune
their defibrillators.
"The devices aren't perfect. As people change medication, their
defibrillators need to be adjusted, or a battery can start to be
depleted," Jacobs said.
"If it's approved that we are able to re-program the device over the
phone, it's theoretically possible that someone could intercept that
call and reprogram someone's device in an adverse fashion."
Peter Gove, vice president for St. Jude Medical, which sells a home
remote monitoring system for defibrillators, said the technology for
remote reprogramming of the devices is a long a way off, but "moving
in that direction."
"(Patients) today typically visit their physicians on regular basis to
have the device interrogated," Gove said.
Gove added that St. Jude's product is careful not to transmit any
personal information about patients.
Despite the concern, Jacobs said the transmitters now on the market
are a godsend for his patients with busy schedules, and they are
equipped with encryption devices to protect their information.
"They like it because it is very convenient," he said. "They don't
have to interrupt their schedule. If they're having a problem, they
can call up and it can be evaluated immediately. It saves them from
not going to work for half a day."
More information about the ISN
mailing list