University of Massachusetts professor hacks heart device to expose risks
By Jessica Fargen | Friday, August 15, 2008 | bostonherald.com | Local Coverage
A UMass professor has found a way to remotely control an implantable heart defibrillator, proving that hell-bent hackers could some day terrorize the millions of people who rely on the devices to regulate their hearts.
With a homemade $1,000 radio transmitter, researchers were able to reprogram a pacemakerlike device and deliver high-energy shocks that could do all sorts of mischief, from causing a fatal heart attack to extracting personal information such as names and Social Security numbers.
But Kevin Fu, a University of Massachusetts at Amherst professor, said don’t worry yet.
“Our concern is for the future,” said Fu, who co-directs the Medical Device Security Center at UMass and presented the findings at a hacker conference in Las Vegas last week. “Today, the risk is very small. It’s a warning sign.”
Heart-attack prone Vice President Dick Cheney is one of millions of Americans who rely on pacemakers to regulate their tickers. Between 1990 and 2002, 2.6 million pacemakers and defibrillators were implanted.
And the wireless technology is only improving, increasing potential for a heart-pumping security breach.
“Could new devices be hackable? We have no definitive evidence to suggest one way or the other. But we expect the risks to increase as wireless ranges increase,” Fu said. “It’s important to understand the risks so you can protect against them.”
In research made public in March, Fu’s team, using a specially designed radio transmitter placed inches from a 2003 Medtronic defibrillator, proved they were able to hack into the device in a lab.
In reality, the devices are attached to the heart via electrodes that transmit information from the heart. A doctor retrieves the information remotely, sometimes as close as inches or feet away, and makes adjustments.
While still not a concrete threat, worries about the security of medical devices are growing.
A 2007 Food and Drug Administration draft guidance paper on wireless medical device technology warned of the potential for security breaches, but there’s no evidence that threat is real.
“Today, the chance of a patient’s (implantable cardioverter defibrillator) being reprogrammed by a malicious hacker is remote, and the safety and benefit of these devices outweigh the current risk of this kind of interference,” said FDA spokeswoman Peper Long.
Dr. William Maisel, a Harvard cardiologist and director of the Medical Device Safety Institute at Beth Israel Deaconess Medical Center, said the research team is exposing security holes, not giving hackers a how-to manual.
“We think it’s important to think about these types of things,” he said. “We don’t want to leave ourselves and our patients vulnerable.”
A spokeswoman for Medtronic, one of the top pacemaker producers, said although the risk of any patient harm is low, the company takes seriously security risks, such as the one exposed by the researchers.
“This was a very, very controlled environment,” said spokeswoman Tracy McNulty. “It’s never happened in the real world. You would literally have to be standing on top of somebody to make this work.”
She said the company is constantly working on new security technologies.
“There’s a lot of work that goes into ensuring the devices are safe from manipulation,” she said.
Article URL: bostonherald.com
Related Articles:
UMass, DEM reach settlement on water data
/news/regional/general/view.bg?articleid=1112745 |
