Medical devices not immune to hackers

Designed to make things easier, advancing technology may instead be responsible for some unexpected problems within the health care industry.

A group of computer scientists and doctors recently announced that they were able to hack into a Medtronic Maximo DR model #7278 internal cardiac defibrillator and reprogram it in a way that could theoretically kill a patient. The tests were conducted within a laboratory and the device had not been inserted in a patient. Researchers found that Medtronic had not encrypted the signal, so they were able to easily obtain patient information while reprogramming the ICD. The study is available online at www.secure-medicine. org.

The study says that between 1990 and 2002, there were more than 2.6 million pacemakers and ICDs implanted in patients throughout the United States.

So, how were they able to get in?

"The newer devices can be adjusted to the clinical needs of the patient. We don't want to have to open somebody up every time you need to make an adjustment," said Mike Smith, Lee Memorial Health System's chief information officer. "There are security codes. It's not too likely that someone can go in there and make your heart beat at 300 beats per minute. I think the safety concerns here can easily be overblown. Other factors would have to line up to produce any harm."

Still, Smith and others acknowledged that as technology continues to advance in ways that help people, it could also be subject to external problems.

Currently, other technology that is being developed for internal use includes hearing aids, biomechanical limbs and electronic site devices.

Gwyn Fisher, chief technology officer with Klocwork - a software security company - said he works with clients that are daily facing this type of dilemma.

He said traditionally those who create medical devices were not looking out for malicious attacks and assumed that if they did not tell anyone how the devices actually worked that no one would bother to try to hack them.

Fisher said that he recently met with a client who wanted to connect the external cardiac defibrillator, like those located in airports across the country, to the Internet so that patient information could be sent to hospitals and paramedics.

Although the client was thinking in terms of how a patient can be further helped, Fisher said he pointed out to them that someone could easily hack into that device and reprogram it in a manner that could have it searching the universe for extraterrestrial life, rather than delivering the needed charge when a patient's heart stopped beating.

"The more personal a device, the more possibility there is for exploitation," Fisher said. "This is going on everywhere."

While this is something that the medical field is just beginning to understand, Fisher said with advancing technology, security attacks are more likely to happen. He said developers need to review their codes constantly to keep patients and their data safe.