Hacking an ICD

Implantable cardiac defibrillators (ICDs) are battery-powered, computerized electronic devices implanted in the body. They are designed to detect dangerous heart rhythms and administer a shock to the heart to stop these them. We have discussed these devices before, including a story about how one manufacturer suppressed data that suggested some of their ICDs were less reliable than heretofore thought.

It appears that a new, and potentially worrisome adverse effect of these devices has just been discovered.

An article to be published in the IEEE Symposium on Security and Privacy [Halperin D, Heydt-Benjamin TS, Ransford B et al. Pacemakers and implantable cardiac defibrillators: software radio attacks and zero-power defenses. IEEE Symposium Security Privacy 2008; in press. Link here.] demonstrated the vulnerability of an implantable cardiac defibrillator to computer hacking.

Let me set the stage. ICDs, and other implantable devices may need to be tested, and sometimes their functional parameters need to be adjusted. Obviously, it would be cumbersome and hazardous to remove such a device after it was implanted to check and adjust it. So the devices incorporate methods to check and adjust them remotely. It appears most do so using "wireless" means. Wireless, of course, is the traditional UK term for radio.

Halperin et al found that they could communicate with a representative ICD, the Medtronic Maximo DR VVE-DDDR model via radio. Note that the ICD they tested was not implanted in a patient, but sitting on a bench, and that their radio equipment used to "hack" it was in close proximity to it.

Once they figured out how to communicate, the found that they could:
- Discover patient data such as name, date of birth, medical ID number, and medical history
- Monitor electrophysiological telemetry data
- Turn off specific ICD functions
- Induce the ICD to deliver a shock, potentially one that could cause a severe rhythmn disturbance
- Increase the power consumption of the ICD so that its battery would fail prematurely.

Further, they found that they could overcome a design feature of the ICD meant to prevent anyone from communicating with it from more than a very short distance. The ICD is not supposed to respond to radio signals unless it is first exposed to a strong local magnetic field which triggers a magnetic switch in the device. But the investigators found, "in order to rule out the possibility that proximity of the magnet ... is necessary for the ICD to accept programming commands, we tested each ... attack with and without a magnet near the ICD. In all cases, both scenarios were successful."

Thus, this article suggested this ICD could be hacked, and that hacking it could pose significant risks to patients who had the ICD implanted.

Some people doubted that such hacking could actually take place in real-life, as opposed to laboratory settings. For example, per the AP story, FDA spokesperson Pepper Long "acknowledged a hacker could use specialized software and a small antenna to intercept transmissions from a defibrillator. But she said the chance of that happening — or of a defibrillator being maliciously reprogrammed using a technique similar to the one a doctor would use to program it — was 'remote.'" Furthermore, per the Reuters story, "Medtronic's Rob Clark said the company's devices had carried such telemetry for 30 years with no reported problems. 'This is a very low-risk event for patients that have these devices,' Clark said in a telephone interview."

In my humble opinion, however, the problems that Halperin et al found with the Medtronic ICD have real importance. Let me first note that both the FDA and Medtronic representatives treated the issue epidemiologically. They based their pronouncements on the assumption that an adverse event that has not happened in the past due to a device in wide use is not likely to happen in the future. That does not make sense if the potential adverse event would involve conscious, malicious human action. Just because hackers have not yet attacked an ICD does not mean they will not do so in the future, especially after the possibility of doing so has gotten wide publicity.

Another way some have minimized the practical importance of their findings is that the experiment by Halperin et al was carried out on an ICD on a bench, using equipment that was in close proximity. Some may thus feel that the possibility of hacking carried out from longer range is low. I strongly believe that is not a good assumption. Many features of the ICD and its radio communication system suggest that hacking could be carried out from considerably longer range. There are hints in the Halperin et al article that could suggest to anyone moderately knowledgeable about radio how this could be done. I do not want to discuss these in any more detail, because I do not want to facilitate such long-ranging hacking. But I believe it is a real danger.

But why is this relevant to Health Care Renewal? It seems glaringly obvious that the risk of hacking could have been substantially reduced had the ICD been designed so it would not respond to any radio communication that did not have an appropriate authorization code, and/or if communication with it were encrypted. In fact, Halperin et al suggested some relatively simple measures that could be used to increase the security of these devices. Yet the Medtronic ICD, and presumably other ICDs and implantable devices, were not designed with such elementary security precautions in mind. As security expert Bruce Schneier wrote (reported in Information Week),

Of course, we all know how this happened. It's a story we've seen a zillion times before: The designers didn't think about security, so the design wasn't secure.

But an ICD is a device whose correct operation is critical for the health and safety of patients in whom it is implanted. One would think that the managers responsible for the design of such devices would have pushed to make sure that the operation of such devices could not be hacked or accidentally altered in ways that could put patients' health and lives at risk. The most charitable explanation for why they did not think to do so is that they really did not understand the clinical context in which this device would be used.

This is yet another reminder that those who run health care organizations often fail to think about patients' welfare first instead of other considerations. We need to change the culture of health care organizations to put patients first. Until we do so, we are going to get hacked.