Integra Systems, Inc. recently viewed the episode of of Homeland where it shows the apparent host hacking into a pacemaker. This week I read an article in a IT magazine that was a reference to this where apparently several authors talk about how implantable medical device security could be exploited. Also this article in general touts that networked medical devices wired and wireless are very vulnerable.
Implantable medical device companies as well as medical device companies look at the following: Safety and reliability has everything to do with system engineering, design controls, hazards analysis, requirements & traceability, and overall quality system controls. Security and privacy requires similar quality system controls, but different mitigations than safety and reliability.
As one who has been in the cardiac pacing industry, what was shown on Homeland is science fiction. First for a pacemaker to actually have it's parameters to be changed, it has to be interrogated. This requires a specific proprietary programmer only to that company, be used with only that device and/or specific models. These programmers are controlled devices and requires multiple levels of security inherent in use. It then requires a programming head to be put on the patient's chest that activates a reed switch which places the pacemaker in an specific mode so that the parameters can be read. A magnet in the programming head activates this switch. Then and only then on the programmer can you make changes, and then these changes can be inputted into the device. The programming head must in place over the patient's chest for this to occur. In terms of monitoring the pacemaker while implanted, this only unidirectional, not duplex communications. There are all kinds of safety mechanisms and interlocks in place and our previous Vice President, Dick Cheney has had a pacemaker in place for years. You can imagine the level of scrutiny regarding his care. There are ten's of thousands of pacemakers and ICD(s), (implantable cardiac defibrillators) that have been implanted over the years and there has "never" been in instance of a pacemaker being hacked into that was implanted in a patient.
All enterprise grade embedded wireless 802.11a/b/g/n has to subscribe to WPA2. (See attached). Cisco Systems, Aruba Networks, Motorola, etc., all have as a part of their enterprise solutions sophisticated WLAN IDS (Intrusion Detection Systems). So for any person to tamper with or get into the embedded OS of a medical device, then would have to get around all the enterprise grade security in place.As I tell folks pretty much all the financial transactions of NASDAQ and NYSE amounting to million of $$ each day goes through a secure and bullet proof wireless network. I would suspect if someone wanted to hack into this network..well it may be a little more higher on the radar screen. As a side, Integra Systems, Inc., had to finish a WLAN design on highly secure government facility. We had to demonstrate that security on multiple levels was in place.