In a chilling episode of “Homeland” last year, a terrorist killed the vice president with a fiendishly clever weapon: a remote-control device that attacked the computerized defibrillator implanted in his chest.
For former Vice President Dick Cheney, it was all too realistic.
Cheney, who had heart disease for decades before receiving a transplant last year, had such an implant to regulate his heart rate and shock his heart back into life, if necessary. The defibrillator could be reprogrammed wirelessly from a short distance away. In 2007, he had the wireless feature disabled.
About the “Homeland” scenario, Cheney said on the Oct. 20 episode of “60 Minutes”: “I found it credible. It was an accurate portrayal of what was possible.”
But was it really? Medical experts say the answers are surprisingly complicated.
Cheney’s cardiologist, Dr. Jonathan Reiner of George Washington University, said in the “60 Minutes” interview that he agreed with his patient.
An assassin “on a rope line or in a hotel room next door” could have instructed the defibrillator to kill Cheney, he said, adding that a wireless programmable device “seemed to me a bad idea for the vice president of the United States.”
Other experts say the scenario is highly unlikely, though they couch their answers carefully.
The devices, used by millions of Americans, transmit data from a patient’s home to a doctor’s office, alerting the doctor of a malfunction. But the communication goes only one way; the devices being used today cannot be reprogrammed remotely.
Instead, patients must go to a doctor’s office. With some devices, they must be within inches of the reprogramming machine. Others can be reprogrammed from about 30 feet away, but a wand must be held close to patients’ collarbones to identify them to the machine.
“My opinion is it is probably unlikely that a remote attack of this nature could happen today,” said Kevin Fu, a University of Michigan expert on computer security.
But he emphasized the word “probably,” adding that he would never say something is impossible. “There can always be a flaw we are unaware of,” he said.
In fact, a precedent for the “Homeland” episode was a 2008 paper by Fu and others, who reported they had managed to change the settings on an implantable defibrillator so it would release deadly electric shocks. Of course, Fu noted, the experiment required almost a dozen people in a lab full of Ph.D.s. And investigators had to be as close as two inches from the defibrillator.
Still, the experiment became known as a proof of principle. It originated a decade ago, when Fu noticed that the Food and Drug Administration had issued a recall for software on an implanted heart device. He began to wonder about software updates and the security of medical devices. So he started calling cardiologists, trying to get more information.
Many hung up on him, Fu said, adding, “They thought I was crazy to worry about the security of a device in the chest.”
Finally, he got together with a colleague, Tadayoshi Kohno, a computer security researcher at the University of Washington. The two investigators and their colleagues set to work seeing if they could breach the security of a defibrillator that had been removed from a patient’s chest.
The defibrillator and the device used to program it communicated in their own language from a distance no greater than a few inches, Kohno said. The group figured out the language by turning various therapy commands on and off. After they learned the communication language, “we could generate the commands ourselves.”
At that time, “security was not on the radar yet” for medical devices, Fu said. “But there was a rapid trend toward wireless communication and Internet connectivity. We definitely raised awareness.”
He immediately heard from the device industry group, the Advanced Medical Technology Association, or AdvaMed, which invited Fu and Kohno to speak to its pacemaker working group, a small meeting where members discuss policy issues. Now, the device manufacturers are acutely aware of security issues, said Bernie Liebler, a director in the group’s technology and regulatory affairs department.
“Everyone runs a risk management program,” Liebler said. “You look at what can go wrong, what are the risks, what are the harms, what is the probability, what is the severity.
“You look at even the craziest risk. Could that happen by accident? Could it happen on purpose? You try to design a system in a way to make it not happen or to nullify what someone can do.”
And that includes the risk Cheney worried about. “Clearly, hacking into a digital device is a new risk,” Liebler said. “But it is a risk, and we are clearly concerned about it.”
Cardiologists have noticed a change.
“Over the years, manufacturers have added features that make it harder and harder to get into the software,” said Dr. Spencer Rosero, of the University of Rochester Medical Center.
The identifying wand is one such feature, said Dr. Arthur Moss, a cardiologist also at the University of Rochester.
So far, though, there has never been a reported case of anyone maliciously reprogramming a patient’s implanted defibrillator, Fu said. Today, he and others said, the real risk with electronic medical devices is much more mundane. It is the accidental introduction of the disruptive software called malware.
For example, Fu said, malware got into a pharmaceutical compounder, which controls the mixing of medications, at a hospital. Another time, malware got into a fetal monitor, making it slow down.
In 2011 alone, the Department of Veterans Affairs reported nearly two dozen malware infections in its hospitals.
“There are many, many computers in hospital environments,” Kohno said. “We need to seriously consider their safety and privacy.”
Dick Cheney says that to prevent terrorists from sending a fatal shock to his defibrillator, he had his doctors disable the wireless capability. Could somebody really kill you that way?