Medical devices such as pacemakers are vulnerable to attacks by hackers, who could gain access to a patient's private details or reprogram their device and put their health in jeopardy, a US study showed Wednesday.
A research team led by computer scientists Kevin Fu of the University of Massachusetts and Tadayoshi Kohno of the University of Washington, and cardiologist William Maisel of Harvard Medical School was able in lab tests to intercept signals sent from an implantable cardiac defibrillator (ICD).
"The device contained information like the patient's name, their therapy settings, their date of birth and some other information from their doctor," Fu told AFP.
"In addition, we were able to modify the settings on the device using an unauthorized machine we built. So, for instance, we could cause defibrillation shocks to not happen when they should and to happen when they shouldn't," he said.
Today's ICDs typically receive wireless signals over a small distance, but technology is expanding the range of the devices -- and creating greater potential for information to be intercepted.
The study stressed that there have been no reported cases of a patient with an ICD or pacemaker being targeted by hackers.
"The greater concern is about what's going to happen down the line as these devices become more sophisticated, as they embrace wireless technology and connect to the Internet, as they begin to hook up with other devices," said Fu.
"In the future, there may be a defibrillator that talks to a drug pump in your body," he said.
"We want to make sure that the community understands how security and privacy affect more traditional goals of safety and effectiveness as new technologies are being integrated into medical devices."
Maisel said that a key aim of the study was "to encourage the medical device industry to think more carefully about the security and privacy of patient information, particularly as wireless communication becomes more common."
"Fortunately, there are some safeguards already in place, but device manufacturers can do better," the cardiologist said in a statement.
Despite the security flaws shown up by the study, Fu stressed that the pros of being fitted with a pacemaker or ICD far outweigh the security- and privacy-related cons.
"When a doctor tells a patient they need one of these devices to live a normal and healthy life, they're much better and much safer having the device than not having it," he said.
He also said the likelihood of would-be assassins trying to get close to someone they know has a pacemaker or ICD to manipulate the device and kill the patient was very slim.
"That's a very creative idea but it's a little bit elaborate and it would be rather challenging to build a similar machine" to the one used in the study, he said.
In addition, the research team omitted details in their published paper "that prevent the findings from being used for anything other than improving patient security and privacy."
"Maybe the assassin scenario would make for a good spy novel, but there are much simpler ways to accomplish that sort of thing," Fu said.
The peer-reviewed report will be presented and published at the Institute of Electrical and Electronic Engineers Symposium on Security and Privacy in Oakland, California in May.