Sensors made to pick up a heart's rhythm in implanted cardiac defibrillators and pacemakers could be subject to tampering, according to research from the University of Michigan.
An announcement from Michigan highlights experiments in simulated human models, in which researchers demonstrated that they could forge an erratic heartbeat using radio frequency electromagnetic waves. They found that, theoretically, a fake signal, such as the one they created, could stop necessary pacing or induce unnecessary defibrillation shocks.
The researchers did emphasize that they don't know if this has ever happened, and say actually doing it would be difficult.
"Security is often an arms race with adversaries," said Wenyuan Xu, assistant professor of computer science and engineering at the University of South Carolina, one of the researchers, in the announcement.
"As researchers, it's our responsibility to always challenge the common practice and find defenses for vulnerabilities that could be exploited before unfortunate incidents happen. We hope our research findings can help to enhance the security of sensing systems that will emerge for years to come."
Though this isn't the first time vulnerabilities have been identified in implantable medical devices, it is the first to reveal potential risks in the common "analog" type of sensor, the kind that rely on inputs from the human body to cue actions. The team came up with some solutions to help the sensors determine authentic sensors, such as software that could ping the cardiac tissue to determine where the previous pulse came from.
Tampering with sensors is just one of many concerns regarding the security of mobile health devices, where the cost of security is often less than the cost of dealing with a security breach. Last fall, hospital medical devices that were riddled with malware was a serious security concern--reports of disrupted monitors, canceled patient appointments and shut down sleep labs were all too common.
The Government Accountability Office also pointed out last fall that the Food and Drug Administration needs to pay more attention to the security risks for electronic medical devices--which currently, they argued, rely too much on self-reporting from device manufacturers.
To learn more:
- read the announcement from University of Michigan