Look at this.....

[Guest guest]

A common new technology for monitoring defibrillators is vulnerable to hacking

and even to reprogramming that could stop the devices from delivering a

lifesaving shock, according to research to be released Wednesday.

In the past couple years, more than 100,000 patients in the U.S. alone have been

implanted with newer devices that reduce medical visits by sending information

on a patient to a bedside monitor that then sends the data to a doctor, usually

once a day.

In the model researchers studied, transmissions from the defibrillator to the

bedside monitor are not encrypted, which means that someone intercepting the

transmissions could retrieve such data as the patient's birth date, medical ID

number and, in some cases, Social Security number.

As the technology spreads to more medical devices, including pacemakers, spinal

cord stimulators and hearing implants — and as the range of the devices' radio

signals increase — the researchers predict patients' data will face increasing

risks.

" There will be more implanted devices and more wireless capabilities and

transmissions over greater distances, " said Dr. Maisel, one of the

study's authors and a Harvard-affiliated director of the Medical Device Safety

Institute at Beth Israel Deaconess Medical Center in Boston.

A Food and Drug Administration spokeswoman acknowledged a hacker could use

specialized software and a small antenna to intercept transmissions from a

defibrillator.

But she said the chance of that happening — or of a defibrillator being

maliciously reprogrammed using a technique similar to the one a doctor would use

to program it — was " remote. "

" The benefits clearly outweigh the risks, " said FDA spokeswoman Peper Long.

Defibrillators use electrical shocks to restore a normal heart beat when they

detect arrhythmia or other abnormalities.

Bruce , an electrophysiologist at the Cleveland Clinic and president of

the Heart Rhythm Society, said defibrillator transmissions are " not designed to

withstand terrorist attacks. "

" But I don't think the findings have any great clinical significance, "

said. " To hack the system, you have to get the programmer right up against the

patient's chest. It's not as if somebody could do this from down the street. "

The chief defibrillator makers are Medtronic Inc., Boston Scientific Corp. and

St. Jude Medical Inc. It was Medtronic's Maximo defibrillator that Maisel's team

studied.

Medtronic spokesman Rob said the risk of any " deliberate, malicious or

unauthorized manipulation of a device is extremely low. " Future versions capable

of transmitting signals as far as 30 feet from a patient will incorporate

stronger security, he said.

Boston Scientific said in a statement that its defibrillators " incorporate

encryption and security technologies designed to mitigate these risks, "

including measures to prevent unauthorized reprogramming.

St. Jude said, " As the study points out, the likelihood of unauthorized or

illegal manipulation of an implantable device is extremely remote, and St. Jude

Medical is not aware of such an event with our devices. "

" Our issues are less with the current generation of devices than with where we

see the industry going with implanted medical devices, " said Maisel, whose team

included computer scientists from the University of Massachusetts at Amherst and

the University of Washington.

Maisel and fellow author Tadayoshi Kohno — a University of Washington assistant

professor who co-led a 2003 study that raised questions about the security of an

electronic voting system — acknowledged that no hacking has been documented.

Their study is to be presented and published May 19 at a conference of the

Institute of Electrical and Electronic Engineers Symposium on Security and

Privacy.