For millions of heart patients across the United States the difference between life and death is the pager sized heart pacemaker or Implantable Cardiac Defibrillator (ICD). The pacemaker sends tiny electrical signals through the heart to allow the heart to properly time each beat and maintain the normal sinus heart rhythm needed to pump blood properly.
The ICD is a similar device that is typically used for heart patients whose heart pumps normally at most times, but can convert into a dangerous rhythm that results in improper blood flow and could lead to death. The ICD is a smaller, low power version of the external defibrillator used in hospitals and on ambulances.
Many of the most common ICDs and pacemakers implanted in patients across the country now feature wireless control capabilities and some of the devices can even connect to the internet to allow doctors to monitor the patients from remote locations and allow for setting changes to the devices without requiring surgical intervention.
A group of researchers from the Medical Device Security Center published a report (PDF) showing that under a specific set of circumstances the wireless communications of these ICDs and pacemakers could be hacked. The researchers were able to gather patient information from the devices wireless telemetry functions.
To gain access to this telemetry data the researchers used an antenna, radio hardware and a PC, which could be readily obtained by any malicious user. The researchers say that the ICD telemetry data was transmitted without observable encryption from the Medtronic Maximo used in the study. The researchers were able to gather the patient’s name, medical history, date of birth and more.
The more serious problem the researchers found was that a malicious party could actually change the settings on the ICD causing it to deliver a high voltage shock capable of causing a heart arrhythmia that could be lethal.
The researchers note that the testing they performed was on a device not implanted into a person and the ICD was in close proximity to the radio equipment. This hacking doesn’t appear to be something that can happen from a distance.
Does this research mean that anyone with an ICD or pacemaker that features wireless telemetry needs to rush to their doctor for a replacement? The researchers say they strongly believe that nothing they have found should deter patients from receiving this type of device if recommended by their doctor.
The researchers further state the risk to patients is low and that no recorded instance of a hack on an ICD or pacemaker has ever been recorded.