PR Disaster for Wireless Medical Devices

We had an interesting experience in this area. When our child was in the hospital on an automatic IV drip, we discovered that using her cell phone to text friends caused the regulator to periodically misfire.

Here’s an even scarier look at wireless medical devices from Electronic Design magazine,

It’s a terrifying thought—hackers using wireless technology to access your cardiac defibrillator or pacemaker. Would they steal your medical data? Change your settings?

Tell it to kill you?

“We hope our research is a wakeup call for the industry,” said Tadayoshi Kohno, an assistant professor of computer science and engineering at the University of Washington. He is a member of a team of researchers from the University of Washington, the University of Massachusetts at Amherst, and the Beth Israel Deaconess Medical Center at Harvard Medical School investigating the risks inherent in the greater use of wireless technologies in medical implants.

Based on their studies, hackers can extract private information from these devices and reprogram them without the patients’ authorization and knowledge. Granted, such attacks require a high level of technical expertise, and there has never been a reported case of a patient with an implantable cardiac defibrillator or pacemaker targeted by hackers. Current devices also only provide short-range wireless access, though that could change as technology improves. But the researchers still say that medical device manufacturers need to take better care in their designs.

Millions of cardiac defibrillators with wireless technology have been implanted worldwide. Doctors use these capabilities to diagnose patients, read and write private medical information, and adjust the device’s therapy settings all without resorting to invasive or exploratory surgery. The researchers selected a popular model and then used an inexpensive software radio to intercept and capture signals from the device. For example, they grabbed data about a hypothetical patient, including name, diagnosis, date of birth, and medical ID number.

Next, they were able to determine the defibrillator’s make and model, access real-time electrocardiogram results, and uncover data about heart rate and cardiac activity. The researchers followed with several attacks on the device, turning off its therapy settings and rendering it incapable of responding to cardiac events. They then told the device to deliver a shock that could have induced ventricular fibrillation, which could be lethal.

Leave a Reply