I was looking over famed security researcher and cryptography expert Bruce Schneier's blog today and found an article on hacking medical devices. I have to admit that I was surprised, but I shouldn't have been. These days, if you can build it, we can break it seems to be the theme.
Schneier references a New York Times article, which discusses research performed by a combination of researchers from Beth Israel Deaconess Medical Center, Harvard Medical School, the University of Massachusetts Amherst, and the University of Washington. The article has one truly memorable quote:
The threat seems largely theoretical. But a team of computer security researchers plans to report Wednesday that it had been able to gain wireless access to a combination heart defibrillator and pacemaker.
They were able to reprogram it to shut down and to deliver jolts of electricity that would potentially be fatal — if the device had been in a person. In this case, the researcher were hacking into a device in a laboratory.
So, basically, using the device as a means to murder someone seems to be a potential exploitable vector. Also mentioned was the ability to steal user confidential data from the device as it transmits this data unencrypted.
Of course there were some caveats, such as proximity to the device, but a reasonable person would assume that some of these caveats could be bypassed. Hopefully the companies involved with the production of these devices, as well as the medical community as a whole will realize security cannot be an afterthought.
I don't think anyone is suggesting people don't get a pacemaker until these issues are fixed, but the research is a strong indicator we need to spend more time assessing the security of medical devices, systems, and facilities.