Could hackers really take over your pacemaker?

Fans of the TV series Homeland may have wondered at the end of last season whether it is truly possible to hack into a pacemaker and cause someone’s death. That’s what the show’s terrorist organization did to the vice president. The answer is, scarily, yes.

For years, experts have warned about the vulnerability of medical devices to outside sabotage. The United States Department of Homeland Security (DHS) has even issued a warning that medical devices can be compromised by hackers. While it may seem far-fetched for a terrorist halfway around the world to tap into an individual’s pacemaker and cause a heart attack, it is perfectly plausible. And malicious attacks are not the only concern regarding this form of technology.

Many medical devices are controlled by software, just as your iPad, laptop, and smartphone are. As a result, security can be breached on a medical device just as it can be on other technology. Many people remember the time their iPhone software update temporarily turned their phones into dark-screened paperweights. Unfortunately, the same result is possible with wireless medical devices. Many are networked and can be monitored or controlled remotely, sometimes without adequate security engineering and protections.

In 2006, more than half of all medical devices marketed in the United States contained embedded software. And between 2002 and 2010, there were more than 537 recalls because of software malfunctions. Slight errors in computer code can result in significant patient risks. For example, a device that delivers a drug might give a patient 1,000 milliliters instead of the prescribed 10. And it is not possible to completely test systems in advance to ensure proper functioning.

To make matters worse, regulatory authority over the security of medical devices is unclear. No single agency is responsible. Instead, jurisdiction is shared between the Centers for Medicare and Medicaid Services (CMS), Food and Drug Administration (FDA), Department of Defense (DoD), Department of Veterans Affairs (VA), and DHS. This has resulted in a lack of consistent accountability and oversight.

The FDA releases reports known as Manufacturer and User Facility Device Experience (MAUDE) reports, which include information on security issues. However, the agency does not require providers and suppliers to share information on many issues.

This is not to say that patients should avoid software-controlled devices. While the risks may be concerning, the benefits are significant in their convenience, capacity for customization, and greater potential for fine-tuning and management. Many medical treatments would not be possible but for the use of software control. However, additional security safeguards are clearly needed to ensure patient safety.

Although medical technology has advanced tremendously, it is clear that regulation of medical devices, at least in some regards, has not kept pace. Clearer oversight is needed along with mandatory reporting of software flaws. A single government agency, such as the FDA, should be in charge of responsibility for cyber security, and it should have authority to investigate security issues prior to approval for marketing. We need to make sure that intruders are kept out of our pacemakers before it’s too late.