Heart Hacking

28 09 2012

by Matthew Moses

When you hear the terms DoS attack, wireless exploitation, and data alteration what comes to mind? Personally, I think of a black hat hacker operating some bot net to disable service against its target’s website. I also imagine some shady individuals cruising the streets looking for open or easily crackable wireless networks for free and anonymous internet access. While these examples certainly fit the profile, would you ever imagine these terms in relation to implantable medical devices?

Implantable Medical Devices

Implantable Medical Devices (IMD) are becoming increasingly more popular and used in the treatment of a variety of diseases. For instance, in 2001 it was estimated that 25 million Americans were using implantable defibrillators (Nelson 21). Insulin pumps are another variety of implantable medical devices, and from my personal experience I have seen their popularity boom over the past 5 – 10 years. Other types of IMD include pacemakers and neurostimulators (Security and Privacy 30). These devices have varied uses but one thing that they have in common is their ability to more effectively treat diseases and complications for the individuals utilizing them. Many of the functions they perform are inseparably connected with the well-being and health of the patient. With many of these devices allowing configuration changes and data exportation wirelessly, care needs to be taken to protect against vulnerabilities in these devices.

During a BlackHat security convention, researcher Jay Radcliffe demonstrated his ability to “hack” his insulin pump. Radcliffe was able to accomplish this feat using a custom piece of software he built in addition to some extra computer hardware (Kaplan 1). One reporter explained, “These commands can order the device to turn off, but more dangerously, they can significantly raise or lower the levels of insulin Radcliffe’s body absorbs at any given moment” (Kaplan 1).

Similar research and technological hacking feats were accomplished by the Medical Device Security Center. A group of their researchers were able to reverse engineer communications between a clinical device referred to as a “programmer” and a specific implantable cardioverter defibrillator (Pacemakers 2). The researchers successfully executed several configuration changes on the device and explained that their “experiments suggest that the ICD could be forced to remain in a mode in which it continually engages in wireless communications” (Pacemakers 10). This last attack is commonly referred to as a denial of service attack (DoS) in the information security industry and in this case battery depletion is the cause for concern. This same group of researchers note that they “have not measured the power consumed by telemetry or other RF transmissions, but it is possible that these operations decrease battery life faster than normal ICD operation alone” (Pacemakers 10).

Should We Be Concerned

For those using IMDs or who have family members using IMDs it seems like we should be worrying. However, given the present state of the matter the Medical Device Security Center said, “We strongly believe that nothing in our report should deter patients from receiving these devices if recommended by their physician. The implantable cardiac defibrillator is a proven, life-saving technology. We believe that the risk to patients is low and that patients should not be alarmed” (FAQ 2). Therefore, it seems that at this point in time we should not lose any sleep over these attacks. From the cases of successful exploitation cited above none of the authors wanted to release to the world the precise implementations of their attacks. Besides needing to engineer the attacks himself, a malicious adversary would also need a worthwhile motive for the attack and be within a close proximity of the target (FAQ 2).

The later case study mentioned comes from the Medical Device Security Center which has been researching and prompting means to further the development of security within these devices that they have referred to as “zero-power and sensible defenses for IMD security and privacy” (Pacemakers 10). I will not take the time now to dive into those suggestions but if there is interest I would make the invitation to read the cited article.

Going Forward

With the popularity of these devices growing and with the growth and spread in wireless technologies that we have seen over the last 5 years, what precautions need to be taken to protect patients using these medical devices? Currently, there appears to be little to no regulation regarding these types of wireless devices. According to a CNN Tech Report from 2010, a Food and Drug Administration representative, Karen Riley, “declined to say whether the the FDA is looking into new regulations of wireless medical devices” adding “that the responsibility for making the devices secure falls primarily on the manufacturer” (Sutter 1).

Do you believe that the a government agency like the FDA should get involved and start passing regulator requirements in regards to the security of these medical devices? Personally, its a tough question that needs further exploration. I question whether or not effective regulations could be made to ensure the proper design and manufacturer of secure medical devices. Specific technology is hard to break down and generalize for regulations, and technology built to mimic or regulate physical conditions of the human body is even more complex. I half jokingly fear that if the FDA stepped in we could potentially have IMD regulation books as large as the IRS tax codes which would hinder development and innovation more than secure it. For now I feel its in the best interest of the industry to step up and take some proactive measures towards securing their own devices without the need for government regulation. What are your thoughts?


Halperin, D., et al. “Frequently Asked Questions (FAQ): Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses.” Medical Device Security Center, n.d. Web. 24 Sep 2012. <http://www.secure-medicine.org/icd-study/icd-faq.php>.

Halperin, D., et al. “Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses”. Security and Privacy, 2008. SP 2008. IEEE Symposium on. 2008. 129-142. Print.

Halperin, D., et al. “Security and Privacy for Implantable Medical Devices.” Pervasive Computing, IEEE 7.1 (2008): 30-9. Print.

Kaplan, Dan. “Black Hat: Insulin pumps can be hacked.” SC Magazine. Haymarket Media Security., 04 Aug. 2011. Web. 24 Sept. 2012.

Nelson, Glen D., M.D. “Innovation and Invention in Medical Devices: Implantable Defibrillators”. Workshop of the Roundtable on Research and Development of Drugs, Biologics, and Medical Devices, Board on Health Sciences Policy. Wyndham City Center Hotel, 1143 New Hampshire Avenue, N.W. Washington, D.C. 17 – 18 February 2000. Conference Presentation.

Sutter, John D. “Scientists work to keep hackers out of implanted medical devices.” CNN Tech, CNN.com,16 Apr. 2010. Web. 24 Sept. 2012.




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: