Computer scientists from several large universities have said that they can hack into Medtronic’s Maximo defibrillator – potentially causing it to fail. Wireless technology has been used to program defibrillators for many years, but the prospect of hackers being able to control the process has many patients very concerned.

The scientists’ report

The group consists of computer scientists from Beth Israel Deaconess Medical Center, Harvard Medical School, the University of Massachusetts Amherst and the University of Washington. They will be publishing an academic paper in May 2008 that will show that Medtronic’s Maximo DR, a combination defibrillator and pacemaker, can be hacked.

According to the paper, which is available online now, scientists “combined several reverse-engineering and eavesdropping techniques to intercept, understand and extract information from the communications between our ICD and a commercial programmer. Our results show that wireless transmissions disclose private data.”

The experiment only focused on Medtronic’s Maximo DR VVE-DDDR model #7278 ICD (implantable cardio defibrillator) which was introduced in the U.S. in 2003. The device incorporates pacemaking (steady, periodic electrical stimulation) and defibrillation (single large shock) functions and communicates with an external device programmer at a range of several centimeters. However, other devices with similar technology would most likely be targets for hacking as well.

Implications

While the study does not describe specific scenarios of attacks, the possibility of attacks has some consumers concerned about potential foul play – especially because these devices must be properly programmed in order to provide stimulation or shocks when a patient’s heart malfunctions. The scientists indicated that the medical industry and patients should be cautious:

The technologies underlying implantable medical devices are rapidly evolving, and it's impossible to predict exactly what such devices will be like in 5, 10, or 20 years. It is clear, however, that future devices may rely more heavily on wireless communications capabilities and advanced computation. Implantable medical devices (IMDs) may communicate with other devices in their environment, thereby enabling better care through telemedicine and remote patient health monitoring. There may also be multiple, inter-operating devices within a patient's body. Given the anticipated evolution in IMD technologies, we believe that now is the right and critical time to focus on protecting the security and privacy of future implantable medical devices.

Medtronic has indicated that they have not had any reports of attacks and that the likelihood of attacks is minimal. However, the company said that it continues to update security features of the devices.

To view the paper, go to: http://www.secure-medicine.org/icd-study/icd-study.pdf