Monday, February 8, 2016

Could hackers really take over your pacemaker?

Fans of the TV series Homeland may have wondered at the end of last season whether it is truly possible to hack into a pacemaker and cause someone's death. That's what the show's terrorist organization did to the vice president. The answer is, scarily, yes.

Could hackers really take over your pacemaker?


Fans of the TV series Homeland may have wondered at the end of last season whether it is truly possible to hack into a pacemaker and cause someone’s death. That’s what the show’s terrorist organization did to the vice president. The answer is, scarily, yes.

For years, experts have warned about the vulnerability of medical devices to outside sabotage. The United States Department of Homeland Security (DHS) has even issued a warning that medical devices can be compromised by hackers. While it may seem far-fetched for a terrorist halfway around the world to tap into an individual’s pacemaker and cause a heart attack, it is perfectly plausible. And malicious attacks are not the only concern regarding this form of technology.

Many medical devices are controlled by software, just as your iPad, laptop, and smartphone are. As a result, security can be breached on a medical device just as it can be on other technology. Many people remember the time their iPhone software update temporarily turned their phones into dark-screened paperweights. Unfortunately, the same result is possible with wireless medical devices. Many are networked and can be monitored or controlled remotely, sometimes without adequate security engineering and protections.

In 2006, more than half of all medical devices marketed in the United States contained embedded software. And between 2002 and 2010, there were more than 537 recalls because of software malfunctions. Slight errors in computer code can result in significant patient risks. For example, a device that delivers a drug might give a patient 1,000 milliliters instead of the prescribed 10. And it is not possible to completely test systems in advance to ensure proper functioning.

More coverage
Are doctors in it for the money?
You’re about to find out what health insurance really costs
Doctors die differently than their patients
We’re a lot sicker than we realize
U.S. healthcare costs: It’s time to get worried
Your Health Flexible Spending Account just got a little less flexible

To make matters worse, regulatory authority over the security of medical devices is unclear. No single agency is responsible. Instead, jurisdiction is shared between the Centers for Medicare and Medicaid Services (CMS), Food and Drug Administration (FDA), Department of Defense (DoD), Department of Veterans Affairs (VA), and DHS. This has resulted in a lack of consistent accountability and oversight.

The FDA releases reports known as Manufacturer and User Facility Device Experience (MAUDE) reports, which include information on security issues. However, the agency does not require providers and suppliers to share information on many issues.

This is not to say that patients should avoid software-controlled devices. While the risks may be concerning, the benefits are significant in their convenience, capacity for customization, and greater potential for fine-tuning and management. Many medical treatments would not be possible but for the use of software control. However, additional security safeguards are clearly needed to ensure patient safety.

Although medical technology has advanced tremendously, it is clear that regulation of medical devices, at least in some regards, has not kept pace. Clearer oversight is needed along with mandatory reporting of software flaws. A single government agency, such as the FDA, should be in charge of responsibility for cyber security, and it should have authority to investigate security issues prior to approval for marketing. We need to make sure that intruders are kept out of our pacemakers before it’s too late.

We encourage respectful comments but reserve the right to delete anything that doesn't contribute to an engaging dialogue.
Help us moderate this thread by flagging comments that violate our guidelines.

Comment policy: comments are intended to be civil, friendly conversations. Please treat other participants with respect and in a way that you would want to be treated. You are responsible for what you say. And please, stay on topic. If you see an objectionable post, please report it to us using the "Report Abuse" option.

Please note that comments are monitored by staff. We reserve the right at all times to remove any information or materials that are unlawful, threatening, abusive, libelous, defamatory, obscene, vulgar, pornographic, profane, indecent or otherwise objectionable. Personal attacks, especially on other participants, are not permitted. We reserve the right to permanently block any user who violates these terms and conditions.

Additionally comments that are long, have multiple paragraph breaks, include code, or include hyperlinks may not be posted.

Read 0 comments
comments powered by Disqus
About this blog

Do you have a large bill from a provider you didn’t expect? A claim that was denied without explanation? A change in your insurance plan you don’t understand? Do you need help sorting through data on the quality of your doctor or hospital or figuring out what your care will cost?

“Health Cents” will point you toward answers, while also offering insights on government health policy and political debates. Read more about our panel of bloggers here.

This blog is produced in partnership with Kaiser Health News, an editorially independent program of the Henry J. Kaiser Family Foundation, a nonprofit, nonpartisan health-policy research and communication organization not affiliated with Kaiser Permanente. Portions of this blog may also be found on and in the Inquirer's Sunday Health Section.

Robert I. Field, Ph.D., J.D., M.P.H. Professor, Drexel University Kline School of Law & Dornsife School of Public Health
Jeffrey Brenner, MD Founder of the Camden Coalition of Healthcare Providers, Medical Director of the Urban Health Institute at Cooper University Healthcare
Andy Carter President & CEO, The Hospital & Healthsystem Assoc. of Pa.
Robert B. Doherty Senior Vice President of Governmental Affairs & Public Policy American College of Physicians
David Grande, MD, MPA Assistant Professor of Medicine at the University of Pennsylvania
Tine Hansen-Turton Chief Strategy Officer of Public Health Management Corporation
Drew A. Harris, DPM, MPH Director of Health Policy Program at the Jefferson College of Population Health
Antoinette Kraus Director of the Pennsylvania Health Access Network
Laval Miller-Wilson Executive Director of the Pennsylvania Health Law Project
David B. Nash, MD, MBA Founding Dean of the Jefferson College of Population Health
Mark V. Pauly, Ph.D. Professor of Health Care Management, Business Economics and Public Policy at The Wharton School
Howard J. Peterson, MHA Managing Partner of TRG Healthcare, a national healthcare consulting firm
Paula L. Stillman, MD, MBA Healthcare consultant with special expertise in population health and disease management
Elizabeth A. W. Williams Senior Vice President & Chief Communications Officer for Independence Blue Cross
Latest Health Videos
Also on
letter icon Newsletter