Pacemakers and Other Medical Devices Are at Risk of Being Hacked, Scientists Warn

In a world increasingly connected through technology, the potential for online hackers to cause havoc for companies, institutions and individuals is growing at an alarming rate.

A report published in the Journal of the American College of Cardiology focuses on an emerging new threat: cybersecurity risks to electronic cardiac devices, such as pacemakers.

For the paper, a team of researchers from the University of Kansas, the University of Washington and the University of Chicago, among other institutions, examined various reports from security testers of vulnerabilities in cardiac devices. They found that these devices were susceptible to hacking due to lax security features—and that this weakness could potentially have life-threatening implications for users.

The authors suggest certain steps that could be taken to "improve cybersecurity from the standpoint of manufacturers, government, professional societies, physicians, and patients."

Cardiac devices are becoming increasingly integrated with Internet-connected software and computer networks, making them susceptible to malicious hackers, according to study author Dhanunjaya R. Lakkireddy, a professor of medicine from the University of Kansas.

A hacker intending to do physical harm—whether it be a terrorist or other type of criminal—could gain access to a patient's implanted device remotely by using a computer with an Internet connection. That access could enable the hacker to disrupt the functioning of the device or deactivate certain features in these technologies.

Read more: North Korean cyber army poses increasing risks as it expands its global reach, cybersecurity group warns

Such disruptions could include running down the battery of a pacemaker, a device used by around 3 million people worldwide. Or the intrusion could interfere with the heartbeat-sensing technology inside a pacemaker, which regulates a heart rhythms. Both of these scenarios could prove fatal for the user. In the case of drained battery, the pacemaker won't be able to respond to potentially dangerous irregular heartbeats.

And if the sensing technology is damaged, a phenomenon known as oversensing—when electrical signals are inappropriately recognized as normal heart activity—may occur, which can result in lethal shocks.

Implantable cardioverter defibrillators, which prevent sudden death from abnormally fast heart rhythms, could also be hacked, potentially proving fatal.

GettyImages-623803614 Hackers could pose a threat to medical devices. DAMIEN MEYER/AFP/Getty Images

The researchers suggest various steps that could be taken to address cybersecurity issues in these technologies. Installing frequent software upgrades in vulnerable devices could keep the device protected against new threats, for example. Educating physicians about potential cybersecurity risks may also help. In addition, Lakkireddy said software designers need to consult with security experts and medical advisors in the early stages of developing their products.

In October 2014, the U.S. Food and Drug Administration issued guidance describing the type of security features that manufacturers should install in their products—a sign that the vulnerability of medical devices is being taken seriously by government agencies.

The researchers note that, to date, there have been no documented cases of malicious hackers gaining access to a cardiac device. However, they stress that the vulnerabilities are real and that adequate preparation will ensure that risks are minimized in future.