WASHINGTON (Reuters) - Implanted heart defibrillators, which automatically shock a fluttering heart back into a normal rhythm, can be hacked from the outside, U.S. researchers reported on Wednesday.
There is no immediate danger to patients, the team of computer experts, electrical engineers and cardiologists said.
But they made one Medtronic Inc device give up patient information off its computer chip, got it to fire improperly, and ran its battery down, all using inexpensive equipment.
They offered a way to fix these weaknesses and said they were publishing their findings not to frighten patients but to inform the industry and regulators.
“I think patients with implantable defibrillators should not be worried by this,” Dr. William Maisel of the Beth Israel Deaconess Medical Center and Harvard Medical School said in a telephone interview.
“I think we would be doing them a disservice if this upsets them. There has never been a documented malicious attack on someone’s implantable cardiac defibrillator.”
Maisel said his team had contacted the U.S. Food and Drug Administration because it could be an industry-wide problem.
Medtronic’s Rob Clark said the company’s devices had carried such telemetry for 30 years with no reported problems.
“This is a very low-risk event for patients that have these devices,” Clark said in a telephone interview.
“The primary focus for us is on the safety and efficacy of the device. A close second on that is security and privacy.”
He said the company was aware of the risks and would take them into account when designing products. “The technology in these devices constantly evolves and improves, and we will continue to incorporate measures to protect security and patient information for these devices,” Clark said.
“It may be possible to deter malicious activities by making patients aware of those activities,” Maisel, Tadayoshi Kohno of the University of Washington and colleagues wrote.
Their report, to be presented in May at a meeting of the Institute of Electrical and Electronic Engineers Symposium on Security and Privacy in Oakland, California, is available on the Internet at www.secure-medicine.org.
Maisel said more and more devices will use radio technology to communicate with physicians. “Right now these devices communicate over several feet most of time but it concerns us that in future they will communicate over longer and longer distances, so we want to initiate the discussion now,” he said.
The defibrillators, known as ICDs, can deliver a shock to an out-of-rhythm heart, and can include a pacemaker to keep the heart beating properly. They also can keep a record of heart activity, transmit information to a bedside station and alert health workers to any dangerous or unusual heart activity.
Defending against attacks should not be difficult, the researchers said. “Our defenses do not require battery power and therefore may require only minimal design changes to future implantable devices,” the researchers wrote.
Maisel and colleagues reported in 2006 that between 1990 and 2002, more than 2.6 million pacemakers and ICDs were implanted into patients in the United States. Among them is Vice President Dick Cheney, who is 67 and has survived four heart attacks.
Reporting by Maggie Fox; editing by Julie Steenhuysen and Mohammad Zargham