New Risks

Every year, more than 7,500 people get their first pacemaker in the Netherlands [Brochure Hartstichting 2012:3]. According to the latest figures released by NVVC in 2007, over 4,000 Dutch were getting an ICD annually [47]. The most recent data for diabetes in the Netherlands in 2010 lies around 4% of the population according to CBS (Central Bureau of Statistics in the Netherlands). This percentage is probably higher because there are people who do not know they have diabetes [CBS 2010] [29]. The total number of patients with an insulin pump is unknown. But according to the figures from Reuters, the current use of insulin pumps in the Netherlands of the brand Medtronic lies around 200,000 [61]. The above data suggests that many people rely on RCMI’s. It’s therefore important to know how safe they are. Would, for example, the scene from Homeland be possible in real life? Or to say it differently: how easy is it for malicious third parties to gain access to RCMI’s?

A common thought is that it isn’t so easy to hack a RCMI since you have to be near it and know the serial number [Stiles 2008]. But a study, conducted in 2008 by the Medical Device Security Center, shows that an ICD is easier to hack than people like to believe [Halperin et al. 2008]. They manage to get access to the ICD without using a serial number and were able to retrieve patient data, adjust settings to the extent that they could disable the ICD or administer a life-threatening shock to the heart [137-138]. However, the researchers were always close to the ICD when they carried out the attacks [130]. Later in 2012 the late security researcher Barnaby Jack, who worked at IOActive, showed that it was possible to carry out attacks at a greater distance. He manages to hack a pacemaker at a distance of 15 meters [32]. Furthermore, Barnaby Jack demonstrated in 2011 that it’s possible to hack an insulin pump from the brand Medtronic at a distance of 100 meters. He gained control over the insulin reservoir and would thus be able to administer a fatal dose. In both cases, the hack took place without the use of the serial number [50]. He thus demonstrates that implants can be accessible for people who have bad intentions with a patient.

Several experts find these developments worrisome:

“I find it absolutely terrifying, the idea of having computer-controlled devices implanted in us,” said Aviel Rubin, a professor of computer science at Johns Hopkins University who wasn’t involved in the research. “If you can imagine what you might do in a very busy area, sending out a signal that would cause all of the people in the local area’s implanted devices to start operating incorrectly, it’s a really scary future we’re headed towards” [Winstein 2008] [48].

Manufacturers and experts are trying to reassure the public by pointing out that there are no known incidents of patients whose RCMI got hacked [Halperin et all 2008:130]. Dr. Maisel, one of the respondents from the article by Stiles and co-author of the article by Halperin et al., suggests:

“It’s important to know that there has never ever been a single reported episode of this type of malicious attack on a defibrillator.”

“Maisel adds, “If I were getting an implantable defibrillator today, I would ask for one that had wireless capability.” [Stiles 2008] [57].

Many experts state that the likelihood of such incidents is minimal given the necessary technical knowledge that someone must have for hacking a RCMI [Stiles 2008; Umashankar e.a. 2011:141,144] [45]. Removing the wireless capability is not seen as an option since the benefits would outweigh the risk that a RCMI gets hacked [Leavitt 2010:11] [58]. In case extra security measures would be taken, it’s important to make sure that these do not hinder physicians to access the RCMI in case of an emergency. For example, when someone is abroad and gets health problems, a doctor should know that someone has a RCMI and it should be easy for him to access it. Lastly, extra security measures could shorten the battery life of a pacemaker / ICD, batteries that must be surgically replaced [Halperin et all 2008:138].

The colleague of Dr. Maissel however, Dr. Tadayoshi Kohno (University of Washington), and also co-author of the article by Halperin et al., is more cautious about these new developments:

“The risks to patients now are very low, but I worry that they could increase in the future” [Stiles 2008] [57:1].

Although there are no known incidents of a hacked RCMI, security expert Marc Goodman warns that this does not mean that it has never occurred. It is challenging to prove that someone is murdered when they die of hypoglycemia/hyperglycemia or heart attack. First of all, most medical researchers lack the knowledge to determine whether a RCMI is hacked. Second, the evidence of such a murder may not be located on the body but can involve someone from afar who has manipulated the RCMI via a computer [38].

Cybercrime is primarily known as a threat to the networks around us. But the accessibility of virtual implants means that cybercrime can also pose a danger to the human body. In addition to the ‘Internet of digitality’ and the ‘Internet of things,’ this might be the ‘Internet of bodies.’ What impact do these developments have on the degree of trust in RCMI’s?

Reactions to these new risks
The responses on Dutch web forums regarding the news that RCMI’s can be hacked are remarkably calm:

“It is a theoretical possibility that hackers could do that. You can wonder how big the risk is that a hacker does such a thing (unless you assume that hackers are homicidal psychopaths), for that matter the chance that something like this will happen is zero. Though it is never bad to make sure that such a hack is not possible in the first place.” [, 18-04-2012] [50]

“This would surely be life-threatening if you are on such a pump and you hear this news I guess it can be frightening. On the other hand, it is nice that hackers are so busy because this way a lot of the security holes can be closed.” [ 27-10-2011] [59]

But there are also more sarcastic comments:

“Been watching too much tv lately? Jeeeeez… what a getweaker about something that is theoretical anyway. Of course it is a problem, and of course, they will solve it. But this is nonsense news that also has been known for a long time.” [ 27-10-2011]

The leading websites about RCMI’s provide virtually no information about the possible hacking risks. One website, a website for patients suffering from heart disease, did place an article about the possibility that hackers can pose a danger to the heart [39]. The only disadvantages of the wireless capability of RCMI’s mentioned on the website of the Hartstichting (a foundation for people with heart problems) are that it may result in less personal contact with the physician and that the patient must learn to recognize the signals of the ICD [see also Umashankar e.a. 2011:140-141] [40]. Information brochures do not mention the potential risks of hacking RCMI’s [AMC 2013; Elkerliek 2013; Diabetesvereniging Nederland 2013; Isala 2013; Martini Ziekenhuis 2012; Ter Gooi Ziekenhuizen 2012]. The information leaflet on pacemakers by Medtronic (a manufacturer of various RCMI’s), emphasizes the continued progress in their products to improve the safety and reliability of pacemakers. They state that these advances might even be so high that modern pacemakers are among the safest medical technology devices that exist. In exceptional cases, electromagnetic fields can cause a temporary malfunction in the pacemaker [see also Tiikkaja e.a. 2013]. This kind of fault may lead to dizziness, heart palpitations, or an irregular heartbeat. Once the device is turned off, or if the patient distances from the source, the pacemaker, however, will return to normal [Medtronic 2007: 6, 21] [45].