EDITOR'S PAGE
 |
Technology has spurred immeasurable progress; however, it has also introduced unprecedented new dangers and vulnerabilities. As a growing number of people are unfortunately learning, security breaches such as identity theft are devastating realities that can plunge a person into financial ruin. However, a recent study shows an even more worrisome possibility. Hackers could up the ante in the ultimate invasion of privacy: electronic implant tampering.
A team of researchers from the Medical Device Security Center, a cross-disciplinary research initiative that includes Beth Israel Deaconess Medical Center, Harvard Medical School, the University of Massachusetts–Amherst, and the University of Washington, recently reported that it was able to breach the security of an implantable cardioverter-defibrillator (ICD). Using an ICD programmer, oscilloscope, and software radio, the team reverse-engineered the communications protocol of a Medtronic ICD. It was able to tamper with the device in order to extract private patient data and deplete battery power. Most frightening of all, however, the team was able to modify the ICD’s settings to change operation—it succeeded in causing device inaction and even induced fibrillation.
This research then begs the question: Should wireless implant manufacturers be concerned?
Yes and no. The idea of someone in the real world knowingly and maliciously reprogramming or stealing data from an implanted device seems rather far-fetched—not to mention extremely disturbing. As the researchers point out, this experiment was predicated on a theoretical attack; there thankfully have been no documented incidences of heart device hackers. The threat is likely not imminent, and the researchers refused to fully disclose their methods of attack so as to not encourage such a violation.
But while patients and OEMs have no immediate cause for concern about the security of present models, it would be wise of manufacturers to take this research into account when designing future iterations of wireless implants, which run the gamut from ICDs to neurostimulators and implanted drug pumps. The authors of the study suggest that device manufacturers explore capabilities that draw no power from the primary battery (dubbed zero power) for authentication and notification. Potential solutions include harvesting radio-frequency energy to power cryptographed protocol or a piezo- component that audibly alerts patients to something unusual. The researchers also encourage sensible key exchange, which combines those two ideas for vibration-based key distribution that provides patients with audible and tactile feedback during a breach. The catch, though, is adding these safeguards without introducing new defects into the mix.
Whether it’s a nation’s intelligence or an individual’s ICD, any breach of security is a serious matter because it puts people at risk. Therefore, OEMs need to equip devices to withstand the worst-case scenario, even if the worst-case scenario seems unlikely. The fact is that you never know what could happen. In this technologically evolving world, the time has come to assess the flaws of current wireless devices and compensate for them in the future.
Shana Leonard, Editor
