Can your Pacemaker be Hacked to Kill?

Pacemakers are life-saving electronic devices without any form of cyber security. Though not at high risk for attack, there is a possibility, especially with more innovation, and those who use, or know someone who uses a pacemaker, should be aware.

Technology saves lives. Now more than ever, huge advances in the medical field have allowed for more precise imaging, better diagnosis, robotic procedures, more accurate records, and so much more. Technology has become so much a part of the medical industry that there are laws regarding medical data that require special security (HIPAA Compliance).

The artificial pacemaker is a critical piece of equipment in the lives of many people, almost 200,000 in the U.S. today. They function by sending regular, low-level electrical pulses to the heart, stimulating the electrodes that regulate the beating of the heart. New technology has allowed for pacemakers to be customizable, allowing doctors to dictate the heart’s pulse.

What if the pacemaker could be hacked? What if technology could be used to remotely cause a heart to beat too fast, or even stop beating? It already happens when the pacemakers malfunction. If they could be caused to shut down, it could kill the user. Security for them is a life-or-death situation. Pacemakers, as produced today, are not capable of remote connection. However, they are currently programmable, and adjustable.

This means that there is potential for them to be changed, or hacked. Perhaps not in a target-specific way where an action movie villain hacks the OS of a pacemaker of the man across the cafe but using other methods. The manufacturer’s system could be hacked, malware could be injected anywhere (including the pacemaker itself). Imagine a life-saving device, that had a “self-destruct” timer or something like unto it built in, even before it was implanted.

Both the FDA (Food and Drug Administration) and the DHS (Department of Homeland Security) have officially recognized these potential threats as valid and possible. They have both issued official statements and recommendations for manufacturers of these devices. However, companies like St. Jude’s discount the information, stating that this was an “extremely low cyber security risk”.

“Low risk” doesn’t mean “no risk”, but it does mean that there is a possibility that it could happen, and kill someone. Reports state that there are more than 8,000 vulnerabilities in the code of the 7 pacemakers that were analyzed in the survey. Unencrypted data was also found being sent between monitoring systems, allowing fo a potential attack.

In the world of ransomware and high-stakes hacking, cyber crime usually involves the theft of information, or of money. Data is very valuable, but so is life. And the possibility that a life would be held for ransom, rather than simply data, poses a very controversial question to the manufacturers of pacemaker devices.

I call upon manufacturers of medical devices everywhere to carefully consider the consequences of creating unsafe devices. I also encourage everyone who creates and invent new technology to consider how your device could become a carrier of cyber crime.