Discuss as:

Death by defibrillator: FDA called to address hacking risk

NIH

Implanted defibrillators could be a target for hacking, a new report warns. More than 130,000 were implanted in patients in the U.S. in 2009.

It sounds like a scenario out of a James Bond movie: a villain spots his quarry and uses a small device to hack into the official’s heart defibrillator, sending a signal for mayhem. There’s chest grabbing, and a collapse, and alarms, but the bad guy walks free because there’s no gun, knife, poison dart -- no evidence at all a murder has been committed.

According to a recent report by the Government Accountability Office (GAO), a non-partisan agency that works for Congress, not only is such a scenario possible, there’s a growing danger that grandpa’s heart rhythm device, or, say, a child’s insulin pump – any implantable device that can be accessed remotely --  could be susceptible to hacking.

But the GAO report suggests that the Food and Drug Administration, which approves and regulates such devices, has been behind the curve when it comes to security and now is calling for the agency to set guidelines for manufacturers to help combat the threat of hacking.

According to the report, which had been requested by members of Congress in light of tests by researchers revealing the vulnerability of the medical technology, “there have been four separate demonstrations in controlled settings showing that the intentional exploitation of vulnerabilities in certain medical devices is possible.” The report stressed that there have been no proven cases of anybody actually doing this for nefarious purposes.

Still, when he released the GAO report, Congressman Edward J. Markey (D-Mass.), one of the requesting legislators, issued a statement saying that  “wireless medical devices are susceptible to increasingly advanced hacking techniques that could threaten patient health.”

The susceptibility stems largely from their wireless communications abilities, explained Nathanael Paul, chief scientist at the Center for Trustworthy Embedded Systems at Oak Ridge National Laboratory. In 2010, Paul and a colleague demonstrated they could hack into an insulin pump, like the one Paul himself wears to treat his Type 1 diabetes.

Thanks to wireless communication, doctors can download diagnostic information and health status from the device to a computer and make changes in the performance of a device without surgery. For example, defibrillators can be programmed using a wand that communicates with the device inside a patient’s chest.

But as anybody who has experienced neighborhood confusion over garage door openers operating the wrong doors can attest, that can leave devices vulnerable to attack or simple accident.

“This year, for example, a young lady in the Salt Lake City airport asked TSA if she should walk through a security device,” Paul recalled by way of illustration. “TSA said yes, basing that on the experience of thousands of people with insulin pumps. She walked through and her pump responded in an unanticipated way that could have threatened her life.”

Causing a device to misfire intentionally to cause harm takes technical sophistication, but it’s certainly do-able, he said. And there are a lot of potential targets. According to a 2011 report from the World Society of Arrhythmias, in just one year, 2009, 133,262 defibrillators were implanted in patients in the United States -- 434 devices for every million people -- and that’s just one device for one condition.

Preventing potential hacking it might seem as simple as requiring a password for access. Another strategy could be to limit the distance devices can send information back and forth. The tests demonstrating vulnerability showed the range of some devices could be up to 300 feet.  Paul has been exploring that possibility. Software changes are another avenue.

But enhancing security of a vital medical device isn’t as simple as it sounds. The primary purpose of any medical device is to preserve health, not keep out bad guys. Installing security software could put more demand on battery life, for example. And suppose a patient has a defibrillator, his doctor’s office is closed, and he feels chest pains? He could go to an emergency room, but, panicky, could easily forget the password. The ER doctors then could not get access to whatever the device has to tell them.

Whatever solutions are to be found, the onus for making sure manufacturers implement them has now fallen mainly on the FDA.

The GAO recommended the FDA make security risks part of premarket approval just like FDA’s more traditional criteria, safety and effectiveness. It also suggested FDA begin working with other federal agencies whose primary duties focus more on cyber security, make the issue one of the things it monitors during postmarket review, and “establish specific milestones for completing this review and implementing these changes.”

Markey, through his office, told NBC that FDA must  place “renewed emphasis” on the security of the devices under its purview. “I look forward to hearing from the FDA on progress to address this risk,” he said.

The agency does seem to be gearing up to take a more aggressive stance. In its response to the GAO report, the FDA noted that it has recently begun collaborating with the Department of Homeland Security, the National Institute of Standards and Technology, and the Department of Defense, and law enforcement. The FDA’s Center for Devices and Radiological Health has also a National Postmarket Surveillance Plan to better track adverse events related to devices.

“FDA concurs with GAO that the agency continuously develop and implement new strategies designed to assist the agency in its medical device premarket review and postmarket surveillance efforts relative to information security,” agency spokesperson Michelle Bolek told NBC.

The agency is studying the ways other industries are battling cyber security threats for any strategies manufacturers can incorporate into the devices. That’s where researchers like Paul come in.       

The FDA and industry have begun consulting with him and others, he said, and he’s optimistic about progress. “I think they are doing a large amount of work. They are responding, and so are manufacturers,” said Paul, who doesn’t personally profit from such consulting.

He also argued that the potential risk to the security of medical devices is far outweighed by the benefits of the devices.

In other words, don’t panic.

Brian Alexander is co-author, with Larry Young Ph.D., of "The Chemistry Between Us: Love, Sex and the Science of Attraction," now on sale. 

Related stories: