Boston, MA - The same kind of hacking that can threaten sensitive information stored on computers may pose a risk to implantable cardioverter defibrillators (ICDs) that have wireless programming capability, allowing unauthorized access to personal data and tampering with device functions, news organizations reported yesterday [1,2,3,4].

The stories were based on interviews with the scientists who conducted a laboratory simulation of ICD hacking, and a report of their findings that is available on the web [5] but not yet formally presented or published.

The Boston Globe story, from reporter Carey Goldberg, quotes a senior coauthor, Dr William H Maisel (Beth Israel Deaconess Medical Center, Boston, MA), as saying, "With some technical expertise, we were able to retrieve information from the device in an unauthorized fashion," send commands to the ICD, reprogram settings, "and even tell the device to deliver a high-voltage shock."

The story explains that because of the technical skill needed, the likelihood of such unauthorized access to an ICD "is extremely remote." Maisel says, "It's important to know that there has never ever been a single reported episode of this type of malicious attack on a defibrillator," assuring readers that "patients are much better off having the defibrillator than not."

Maisel adds, "If I were getting an implantable defibrillator today, I would ask for one that had wireless capability."

To hack the system, you have to get the programmer right up against the patient's chest. It's not as if somebody could do this from down the street.

The report, which can be viewed at the Medical Device Security Center website run jointly by Maisel's institution, the University of Massachusetts Amherst, and the University of Washington, in Seattle, "will be presented and published" at the Institute of Electrical and Electronic Engineers Symposium on Security and Privacy in Oakland, CA, this May, according to a Beth Israel Deaconess press release [6].

The news reports observe that the report omits information that could permit unauthorized access to ICDs and, as noted by reporter Barnaby J Feder of the New York Times, makes clear that patients with the devices "have no need yet to fear hackers." The experiment, he writes, "required more than $30 000 worth of lab equipment and a sustained effort by a team of specialists . . . to interpret the data gathered from the implant's signals."

The news reports observed that the ICD tested by Maisel and his colleagues was a Maximo from Medtronic, and some strongly implied that the hacking risk is peculiar to that company. The Times story, however, notes that the Maximo was chosen because it was considered "typical of many implants with wireless communications features."

The Times also quotes coauthor Dr Tadayoshi Kohno (University of Washington) as saying, "The risks to patients now are very low, but I worry that they could increase in the future." Kohno is described as having previously studied "vulnerability to hacking of networked computers and voting machines."

In a press release issued by the Heart Rhythm Society [7], apparently to alleviate any concerns generated by the media coverage, society president Dr Bruce Lindsay (Cleveland Clinic, OH) says, "Although the experiment by Dr Maisel and colleagues is a technical study that may be of interest to engineers who design wireless transmission systems, the results do not have any important implications for patients, and there is no reason for alarm. . . . This is not a product failure or safety recall."

Lindsay was apparently interviewed by Associated Press reporter Mark Jewell, who quotes him as saying that "defibrillator transmissions are not designed to withstand terrorist attacks. . . . But I don't think the findings have any great clinical significance. . . . To hack the system, you have to get the programmer right up against the patient's chest. It's not as if somebody could do this from down the street."

Jewell also quotes Maisel: "Our issues are less with the current generation of devices than with where we see the industry going with implanted medical devices."

In coverage for the Wall Street Journal by reporter Keith J Winstein, the FDA weighs in. An agency spokesperson is quoted as saying, "The chance of an ICD being reprogrammed by a computer hacker is extremely remote." The FDA is described as "working on standards to raise the security of medical devices that receive instructions over radio waves."

But Winstein also quotes Dr Aviel Rubin, "a professor of computer science at Johns Hopkins University who wasn't involved in the research." He says, "I find it absolutely terrifying, the idea of having computer-controlled devices implanted in us. . . . If you can imagine what you might do in a very busy area, sending out a signal that would cause [the implanted devices of] all of the people in the local area . . . to operate incorrectly, it's a really scary future we're headed toward."