Friday, March 14, 2008

Hacking an ICD

Implantable cardiac defibrillators (ICDs) are battery-powered, computerized electronic devices implanted in the body. They are designed to detect dangerous heart rhythms and administer a shock to the heart to stop these them. We have discussed these devices before, including a story about how one manufacturer suppressed data that suggested some of their ICDs were less reliable than heretofore thought.

It appears that a new, and potentially worrisome adverse effect of these devices has just been discovered.

An article to be published in the IEEE Symposium on Security and Privacy [Halperin D, Heydt-Benjamin TS, Ransford B et al. Pacemakers and implantable cardiac defibrillators: software radio attacks and zero-power defenses. IEEE Symposium Security Privacy 2008; in press. Link here.] demonstrated the vulnerability of an implantable cardiac defibrillator to computer hacking.

Let me set the stage. ICDs, and other implantable devices may need to be tested, and sometimes their functional parameters need to be adjusted. Obviously, it would be cumbersome and hazardous to remove such a device after it was implanted to check and adjust it. So the devices incorporate methods to check and adjust them remotely. It appears most do so using "wireless" means. Wireless, of course, is the traditional UK term for radio.

Halperin et al found that they could communicate with a representative ICD, the Medtronic Maximo DR VVE-DDDR model via radio. Note that the ICD they tested was not implanted in a patient, but sitting on a bench, and that their radio equipment used to "hack" it was in close proximity to it.

Once they figured out how to communicate, the found that they could:
- Discover patient data such as name, date of birth, medical ID number, and medical history
- Monitor electrophysiological telemetry data
- Turn off specific ICD functions
- Induce the ICD to deliver a shock, potentially one that could cause a severe rhythmn disturbance
- Increase the power consumption of the ICD so that its battery would fail prematurely.

Further, they found that they could overcome a design feature of the ICD meant to prevent anyone from communicating with it from more than a very short distance. The ICD is not supposed to respond to radio signals unless it is first exposed to a strong local magnetic field which triggers a magnetic switch in the device. But the investigators found, "in order to rule out the possibility that proximity of the magnet ... is necessary for the ICD to accept programming commands, we tested each ... attack with and without a magnet near the ICD. In all cases, both scenarios were successful."

Thus, this article suggested this ICD could be hacked, and that hacking it could pose significant risks to patients who had the ICD implanted.

Some people doubted that such hacking could actually take place in real-life, as opposed to laboratory settings. For example, per the AP story, FDA spokesperson Pepper Long "acknowledged a hacker could use specialized software and a small antenna to intercept transmissions from a defibrillator. But she said the chance of that happening — or of a defibrillator being maliciously reprogrammed using a technique similar to the one a doctor would use to program it — was 'remote.'" Furthermore, per the Reuters story, "Medtronic's Rob Clark said the company's devices had carried such telemetry for 30 years with no reported problems. 'This is a very low-risk event for patients that have these devices,' Clark said in a telephone interview."

In my humble opinion, however, the problems that Halperin et al found with the Medtronic ICD have real importance. Let me first note that both the FDA and Medtronic representatives treated the issue epidemiologically. They based their pronouncements on the assumption that an adverse event that has not happened in the past due to a device in wide use is not likely to happen in the future. That does not make sense if the potential adverse event would involve conscious, malicious human action. Just because hackers have not yet attacked an ICD does not mean they will not do so in the future, especially after the possibility of doing so has gotten wide publicity.

Another way some have minimized the practical importance of their findings is that the experiment by Halperin et al was carried out on an ICD on a bench, using equipment that was in close proximity. Some may thus feel that the possibility of hacking carried out from longer range is low. I strongly believe that is not a good assumption. Many features of the ICD and its radio communication system suggest that hacking could be carried out from considerably longer range. There are hints in the Halperin et al article that could suggest to anyone moderately knowledgeable about radio how this could be done. I do not want to discuss these in any more detail, because I do not want to facilitate such long-ranging hacking. But I believe it is a real danger.

But why is this relevant to Health Care Renewal? It seems glaringly obvious that the risk of hacking could have been substantially reduced had the ICD been designed so it would not respond to any radio communication that did not have an appropriate authorization code, and/or if communication with it were encrypted. In fact, Halperin et al suggested some relatively simple measures that could be used to increase the security of these devices. Yet the Medtronic ICD, and presumably other ICDs and implantable devices, were not designed with such elementary security precautions in mind. As security expert Bruce Schneier wrote (reported in Information Week),

Of course, we all know how this happened. It's a story we've seen a zillion times before: The designers didn't think about security, so the design wasn't secure.

But an ICD is a device whose correct operation is critical for the health and safety of patients in whom it is implanted. One would think that the managers responsible for the design of such devices would have pushed to make sure that the operation of such devices could not be hacked or accidentally altered in ways that could put patients' health and lives at risk. The most charitable explanation for why they did not think to do so is that they really did not understand the clinical context in which this device would be used.

This is yet another reminder that those who run health care organizations often fail to think about patients' welfare first instead of other considerations. We need to change the culture of health care organizations to put patients first. Until we do so, we are going to get hacked.


DrWes said...

"This is yet another reminder that those who run health care organizations often fail to think about patients' welfare first instead of other considerations. We need to change the culture of health care organizations to put patients first. Until we do so, we are going to get hacked."

Now Roy, in all fairness, do we really think the companies who manufacture these life-saving devices really had malicious intent not to encode their communications? Now I'm not a practicing engineer (I got my biomedical engineering degree a while ago), but the reality is that these devices require a serial number handshake with a programmer or magnet applied directly over the device to "wake up" the wireless telemetry feature (otherwise this feature would put unnecessary drain on the longevity of the device). Secondly, the maximum distance these "radios" can transmit is about 40 meters or so. They work on a special medical bandwidth to avoid interference with other more common signals inherent to the home environment (tho' admittedly aren't immune to interference). The devices have redundancy in their communication to assure stable communication, and can switch real-time to side frequencies if needed to assure reliable communication when reprogramming takes place. In fact, this was a central feature of Medtronic's device that was engineered just to assure patient safety during the sensitive moments during medical device reprogramming.

Now, it's also important to realize that there has never, ever been a case of clandestine programming of a defibrillator - perhaps because it's so challenging and expensive to implement. Further, I wonder if this feature is really clinically required in the case of defibrillators or pacemakers. Are we envisioning a counter-terrorist strike against a 72 year old grandmother? Or maybe a signal-jamming humvee outside our hospitals? Or maybe a parabolic antenna outside Dick Cheney's bedroom tranmitting a code to induce ventricular fibrillation? Could these guys really get within 40 meters of him?

But why stop there? I think we should be MUCH safer in hospitals from such attacks! All hospitals should install metal detectors and have us check our shoes before entering hospitals (like in airports?) to be really, really safe against other easier-to-implement terrorist actions? Why should we stop with patient safety measures with just the select few who have defibrillators? Think of all the lives we could save!

I guess it's like hand washing before surgery to avoid infection: do we want to wash for 3 minutes, 5 minutes, 10 minutes, or 30 minutes? Certainly, the longer the scrub the safer for the patient, right? But where should we draw the line? How much money should be devoted to this endeavor when many others can't even begin to afford these devices in the third world (or the US for that matter) already?

No one argues that patient safety is important. But remember who "created" this current defibrillator "crisis" (that really was not a "crisis"): doctors.

Sadly, it was doctors who have worked previously for the FDA (a branch who still has some problems, too, I might add) who hired highly trained computer scientists and engineers to hack into a device on a bench. It was NOT the engineers who have worked hard to assure the safety and integrity of this device. These doctors had access to the serial number of the device they hacked and could place a magnet over the device directly.

The definition of terrorism from is "the use of violence and threats to intimidate or coerce, esp. for political purposes." Could this research really be the worst form of "medical terrorism" or work for real patient safety as the authors suggest?

It is not so clear now, is it?

Roy M. Poses MD said...

With all due respect, Dr Wes -

Do I think it was malicious intent that lead to the failure to encrypt the communications? No, I suspect it was mainly due to pressure from management to do things faster and cheaper, possibly compounded by unfamiliarity with some basic radio frequency (RF) engineering principles. But just because the designers had no malicious intent does not mean the system weakneses could not be exploited by those who do.

Also, I suggest you read the original article in the IEEE journal and the comments by MedInformaticsMD here:

Then you may want to rethink your complacency about the safety of these devices.

The Halperin et al article showed how the investigators could communicate with the ICD without knowing the serial number, and without using the magnet.
The "special medical bandwidth" was old fashioned long wave at 175 kHz, a frequency the communications receiver on my desk at home can easily pick up. Long wave has been used for radio communications a very long time, and its particularly easy to design transmitter and receiver circuity that operates at this frequency.

The investigators could reprogram the ICD in ways that could have malicious effect were the ICD to have actually been implanted.

With further due respect, your argument that because no one has ever been known to maliciously reprogram an implanted ICD up to now means it will never happen is naive. A few years ago, acquiring a computer virus by simply being connected to the internet was unheard of. I did not then bother to have anti-virus software running on my computer because I thought that the only way to get a virus was to run infected software. Then someone figured out how to send viruses through the internet. And my unprotected computer was infected within days. So I had to buy fancy anti-virus software, clean out all the viruses I had acquired, and run the anti-virus software continuously ever since.

Nice joke about the metal detectors in hospitals. But they wouldn't do any good in this case, unless you also ban visitors with anything resembling electronic circuitry. But the real solution would be some simple, inexpensive security precautions built into the ICDs. (Some examples appeared at the end of the IEEE article.) Fixing this problem going forward would hardly bankrupt the medical system. But it would take some effort and a little spending on the part of ICD manufacturers.

Finally, suggesting that Halperin et al were somehow analogous to terrorists was stooping really low.
But messengers bearing bad news are often unpopular.

InformaticsMD said...
This comment has been removed by the author.
InformaticsMD said...

Are we envisioning a counter-terrorist strike against a 72 year old grandmother? Or maybe a signal-jamming humvee outside our hospitals? Or maybe a parabolic antenna outside Dick Cheney's bedroom tranmitting a code to induce ventricular fibrillation?

While these are frivolous examples, I would not rule them out on technologic grounds.

Could these guys really get within 40 meters of him?

Range of two-way communications depends on many factors including power output, antenna gain, receiver sensitivity and noise, and signal processing via algorithms for digital filtering and enhancement via common, cheap DSP chips, among others. Increase power out, antenna gain, [hacker's] receiver sensitivity, etc. and range goes up.

Some hams bounce signals off the moon for earth-moon-earth communications. They use high power, high gain antennas, and very low noise receivers. It works quite well.

Never underestimate what can be done at RF.

Anonymous said...

The probability of random noise interference triggering these devices is remote. Even in an MRI scanner, which not only has a static field of 1.5T, but also RF pulses and gradient coils switching on and off only interferes with pacemakers/ICDs on very isolated occassions.

Hacking an ICD to discover some shmoe's name or EKG waveforms is pointless, UNLESS its a high profile target, say perhaps, Dick Cheney.

To get to Dick Cheney though you would have to have inside information. Each ICD is different, and the model that he's carrying is not public information. So you'd have to know that first. Once you know that, you'd have to program a way to hack into the device on a spare model. That would take at least a few days. Then you would have to bring that wireless transmitter and computer within very close proximity to Dick Cheney for at least 5-10 mins to pull off the hack.

Considering that Dick Cheney has a formidable secret security presense, that aint happenin.

So really the fears about hacking ICDs are overblown. Yes, its possible. But the real question is WHY would somebody invest the time, energy, and money into doing this just to discover some random person's name or get access to his EKG waveforms? The only people that this would make sense to target have a very strong security presence rendering any ability to come into the close proximity required for such a hack formidable.

InformaticsMD said...

So really the fears about hacking ICDs are overblown.

I have discussed this issue with an engineering expert, Felix Fulmer, who points out the following:

The managers overseeing the space shuttle Challenger's booster didn't think exhaust blowby at the O-rings sealing the joints between the solid rocket booster (SRB) segments woiuld be a high risk, nor did the managers and engineers overseeing the Columbia think a little piece of foam could cause lead to catastrophe.

Remember, all it takes is one mischievous hacker who doesn't have to be any smarter or talented than, say, Tim McVeigh.

Why would someone want to do this? Why did someone poison tylenol capsules in drug stores in 1982? That did not make sense, but they did it anyway.

By the way, if you ever get an ICD, would you feel as confident about their imperviousness to the people whose motivations you claim don't exist?

DrWes said...

From the Washington Post:

"Although the results of Wednesday's study may seem scary at first glance, Kohno says the odds of someone actually carrying out this attack are low, because the hacker would have to somehow get all of this equipment within 4 inches (10 centimeters) of a target ICD."

So, again, what are the real life implications of this work? I suppose the medical device industry will now make their communications more secure, lest they be held negligent should any other malady befall the poor patient. Great. But how about some equipoise in this discussion on safety? Certainly Roy, your experience in this area is significant, as are the researchers who conducted this work. While I respect both your and their perspectives (and certainly you and they have been consistent on this point), fear-mongering the potential for disaster also has its shortcomings. Our special "patient privacy laws" and the usual presence of clothing makes identifying who has a device in the first place a bit difficult.

Powerful RF antennas you describe can kill without hacking a defibrillator by noise being detected as ventricular fibrillation anyway, causing the device to give spurious shocks. Why hack the telemetery? Just blast away and let 'em have it!

(See how perverse this becomes?)

InformaticsMD said...

fear-mongering the potential for disaster also has its shortcomings.

As a rule, I'd rather take a cautious approach than a cavalier one, even when the experts -- who may have internal conflicts of interest, tunnel vision, or just be over-optimistic - say "low risk."

By the way, as a matter of disclousre, I have no industry interests or connections, and have never taken a dime from the medical device industry.