|
Medical devices such as pacemakers are vulnerable to attacks by
hackers, who could gain access to a patient's private details or
reprogram their device and put their health in jeopardy, a US study
showed Wednesday.
A research team led by computer scientists Kevin
Fu of the University of Massachusetts and Tadayoshi Kohno of the
University of Washington, and cardiologist William Maisel of Harvard
Medical School was able in lab tests to intercept signals sent from
an implantable cardiac defibrillator (ICD).
"The device contained information like the
patient's name, their therapy settings, their date of birth and some
other information from their doctor," Fu told AFP.
"In addition, we were able to modify the
settings on the device using an unauthorized machine we built. So,
for instance, we could cause defibrillation shocks to not happen
when they should and to happen when they shouldn't," he said.
Today's ICDs typically receive wireless signals
over a small distance, but technology is expanding the range of the
devices -- and creating greater potential for information to be
intercepted.
The study stressed that there have been no
reported cases of a patient with an ICD or pacemaker being targeted
by hackers.
"The greater concern is about what's going
to happen down the line as these devices become more sophisticated,
as they embrace wireless technology and connect to the Internet, as
they begin to hook up with other devices," said Fu.
"In the future, there may be a
defibrillator that talks to a drug pump in your body," he said.
"We want to make sure that the community
understands how security and privacy affect more traditional goals
of safety and effectiveness as new technologies are being integrated
into medical devices."
Maisel said that a key aim of the study was
"to encourage the medical device industry to think more
carefully about the security and privacy of patient information,
particularly as wireless communication becomes more common."
"Fortunately, there are some safeguards
already in place, but device manufacturers can do better," the
cardiologist said in a statement.
Despite the security flaws shown up by the
study, Fu stressed that the pros of being fitted with a pacemaker or
ICD far outweigh the security- and privacy-related cons.
"When a doctor tells a patient they need
one of these devices to live a normal and healthy life, they're much
better and much safer having the device than not having it," he
said.
He also said the likelihood of would-be
assassins trying to get close to someone they know has a pacemaker
or ICD to manipulate the device and kill the patient was very slim.
"That's a very creative idea but it's a
little bit elaborate and it would be rather challenging to build a
similar machine" to the one used in the study, he said.
In addition, the research team omitted details
in their published paper "that prevent the findings from being
used for anything other than improving patient security and
privacy."
"Maybe the assassin scenario would make for
a good spy novel, but there are much simpler ways to accomplish that
sort of thing," Fu said.
The peer-reviewed report will be presented and
published at the Institute of Electrical and Electronic Engineers
Symposium on Security and Privacy in Oakland, California in May.
-- AFP
|
