Heart devices vulnerable to hack attack

Researchers urge action, downplay current risks

Warning: Not only computers are vulnerable to hack attacks. Our bodies may be, as well.

A new study demonstrates a large gap in the security of implanted devices that help regulate heartbeats and use wireless technology, researchers from Beth Israel Deaconess Medical Center, the University of Massachusetts, and elsewhere report today.

"With some technical expertise, we were able to retrieve information from the device in an unauthorized fashion," said Dr. William H. Maisel, senior author of the report. "We were able to send commands to the device in an unauthorized fashion and could reprogram settings and even tell the device to deliver a high-voltage shock."

But Maisel, director of the Medical Device Safety Institute at Beth Israel Deaconess, emphasized that the millions of patients with implanted cardiac devices, such as pacemakers and cardiac defibrillators, should not be concerned.

"It's important to know that there has never ever been a single reported episode of this type of malicious attack on a defibrillator," he said. Because of the technical skill needed for an attack, the danger is ex tremely remote, he added.

"Patients are much better off having the defibrillator than not," Maisel said. "If I were getting an implantable defibrillator today, I would ask for one that had wireless capability."

The wireless communication allows a doctor to download data that help monitor a patient's heart activity and also make it easy to send commands to the device, to adjust its activities as needed. Pacemakers deliver low-energy signals to help a slowing heart speed up, and defibrillators give the heart a high-voltage shock to restore its rhythm when beating perilously fast.

The study was performed on a lab bench, not in a live patient, Maisel said. But it showed two ways that the implantable devices could be manipulated to cause harm: a hacker could stop them from helping a patient or tell them to disturb the heart's rhythm, even inducing a potentially fatal shock. Hackers could also draw personal patient information from the devices, such as name and medical identification number.

The study, which is scheduled to be presented at a symposium on computer security in May, purposely omits certain details that would help hackers. And it also proposes several fixes that could help prevent or deter attacks.

An audible tone or a vibration could let a patient know whenever someone is communicating with an implanted heart device, Maisel said. The researchers also proposed encryption methods that could help safeguard data.

Though the threat of a hacker attack on a heart might seem distant, it is important to start thinking about computer security and privacy measures long in advance, said Tadayoshi Kohno, a University of Washington computer scientist who worked on the study.

There is a "revolution in medical device technology" under way, he said, and implanted devices are becoming more sophisticated and using longer-range wireless technologies. Implanted devices are ever more commonly used to treat diabetes and chronic pain, among other medical problems.

"It's important to understand the risks associated with new technologies before they become widely deployed," Kohno said.

Carey Goldberg can be reached at goldberg@globe.com.