Sources of Good Health: ICD

Home / ICD

Showing posts with label ICD. Show all posts

Friday, 14 March 2008

Princess Health and Hacking an ICD - A Dual Medical Informatics/Ham Radio Perspective. Princessiccia

Roy Poses wrote at "Hacking an ICD" that:

An ICD is a device whose correct operation is critical for the health and safety of patients in whom it is implanted. One would think that the managers responsible for the design of such devices would have pushed to make sure that the operation of such devices could not be hacked or accidentally altered in ways that could put patients' health and lives at risk.

Indeed.

It is probably not well known that in addition to being a Medical Informaticist, I am also a ham radio enthusiast, licensed at the Extra class. I know more about electronics than most physicians - and most IT people in hospitals to boot, although that often didn't matter in the dysfunctional world of hospitals and health IT.

As a medical informaticist and ham radio operator, I am concerned by the possibility of long(er) range hacking of implantable medical devices than that accomplished by researchers recently.

Apparently ICD's use a frequency of about 175 kHz for data communications. 175 kHz is in a band known as longwave. For comparison and orientation, the bottom of the familiar medium wave band -- a.k.a. ordinary AM radio-- is 520 kHz.

(An aside for those interested: shortwave starts at about 1,800 kHz or 1.8 MHz and extends to about 30,000 kHz or 30 MHz, and is called "shortwave" for historical reasons; the actual wavelengths are appx. 160 meters to 10 meters. These wavelengths were considered "short", comparatively speaking, in the early days of radio. The shortwaves have the property, under proper conditions, of being refracted back to earth by the earth's ionosphere and can be reflected by the earth itself. This allows the waves to do "multiple hops" and propagate over great distances far in excess of line-of-sight, even around the world. Hence the ability of ham radio enthusiasts to talk to people all over the world on the shortwave bands allocated to them.)

When I was 13 years old I built a one-transistor transmitter on a cigar box from a plan by Heathkit that transmitted low power morse code at a frequency of about 550 kHz. It ran off a few AA batteries and used a short wire as an antenna. It was easily receivable on a radio across the house.

The first cordless phones ca. early 1980s, wireless baby monitors, and other devices operated at about 1,700 kHz, just above the AM radio band. They were very low power devices with short antennas relative to wavelength (~175 meters) but were usable at dozens of feet from their base units.

Using an antenna, say, the size of a CB whip (properly loaded electrically to resonate at 175 kHz, not very efficient but usable), or even better, a directional loop antenna, plus a transmitter of 5 or 10 or, perhaps, 100 watts of power (not very hard to build), and using a sensitive receiver designed for those frequencies (my $150 retail Grundig Yacht Boy is an example, http://www.eham.net/reviews/detail/816) with modifications and a suitable low-noise receiving antenna, would potentially extend the range of communications with RF-controlled implantable devices.

Not to miles with any type of portable equipment, I should add, due to efficiency issues with very short antennas (relative to wavelength) and the low power of the ICD's transmitter, but tens of feet might be possible. Throw in digital signal processing on the hacker's receiver, which is available via common, cheap, off-the-shelf DSP chips and algorithms, and even more range would be likely. You would be surprised at what a DSP-equipped and/or computer-enhanced receiver can pull out of the "ether" even under extremely poor signal conditions.

One wonders if any ICD's transmitter and receiver are encrypted in any way - apparently the devices tested were not. My car FOB is, although even those can be hacked (e.g., "Prius Security System Cracked", http://www.treehugger.com/files/2007/08/a_talk_given_at.php):

A talk given at the computer security conference, CRYPTO 2007, explained how the key-fob system installed on the Toyota Prius has been cracked. The KeeLoq auto anti-theft cipher is used in common devices made by Microchip Technology Inc, which are also used by Chrysler, Daewoo, Fiat, General Motors, Honda, Volvo, Volkswagen, and Jaguar. The attack requires that the thief gets within range of your RFID keyfob, in order to break the encryption. This could mean stealing your keys, or just sitting next to you in a cafe with a laptop. The cipher used in these devices is 64 bit, which has always been theoretically possible to break, but has now been shown to be breakable in about an hour. This is important, because the shorter the amount of time required with the key, the more likely this attack is to become used outside of a research lab.

May I add that while encryption is not foolproof, lack of encryption seems the work of fools.

On a somewhat unrelated note, you can buy a wrist watch that picks up time-setting signals from an atomic clock via station WWVB, Fort Collins, Colorado (http://en.wikipedia.org/wiki/WWVB) at long wave frequency 60 Khz for $30. I have one and in Philadelphia, it works well.

Some hams bounce signals off the moon for earth-moon-earth communications. They use high power, high gain antennas, and very low noise receivers. It works quite well.

Never underestimate what can be done at RF.

On one (predictable) industry response:

Medtronic's Rob Clark said the company's devices had carried such telemetry for 30 years with no reported problems. 'This is a very low-risk event for patients that have these devices,' Clark said in a telephone interview."

It would have been just a bit harder to hack a computerized device 30 or 20 or even 10 years ago. When kids can buy a laptop with computing power exceeding that of the Cray supercomputer for $500 and crack into, say, the Pentagon's systems, we are indeed living in different times.

Dr. Poses also wrote that:

The most charitable explanation for why they [the manufacturers] did not think to [engineer ICD's to be exceptionally hacker-proof] is that they really did not understand the clinical context in which this device would be used.

I think a better explanation is that the manufacturers' management has little imagination and underestimate the capabilities of people much smarter and more creative than themselves (e.g., tech-savvy kids). It would not surprise me to find engineering memos warning management that more safeguards needed to be incorporated, only to be asked "What's the ROI?"

The bottom line is: manufacturers might need to work a little harder when they deploy wireless devices, as hacking of gadgets and computerized equipment such as cell phones seems to be an increasingly common pastime for today's youth. (It's too bad ham radio is itself losing numbers as the previous generation ages and dies out.) The internet itself is used to spread techniques and malicious code among hackers.

One can imagine the consequences of a malicious RF device hacker or smart-but-delinquent kid in, say, a crowded shopping mall.

Finally, ham radio experimenters worldwide are not unfamiliar with longwave experimentation. Note in particular the bolded statement below:

With no Amateur Radio low-frequency [longwave -ed.] allocation in North America, stations operating under FCC Part 5 Experimental licenses in the US or under special experimental authorizations in Canada nonetheless continue to research the nether regions of the radio spectrum. By and large, LF experimentation is occurring in the vicinity of 136 kHz--typically 135.7 to 137.8 kHz--where amateur allocations already exist elsewhere in the world. The FCC rejected the ARRL's 1998 petition for LF allocations at 135.7 to 137.8 kHz and 160 to 190 kHz, however, after electric utilities objected that ham radio transmissions might interfere with power line carrier (PLC) signals used to control the power grid.

"Most of the new LF activity of Part 5 licensees has been in the shared 137 kHz amateur allocation available in some parts of the world," says low-frequency experimenter Laurence Howell, KL1X/5. "Although not in the Amateur Radio Service, these Part 5 experimental stations continue to add to our knowledge on propagation and engineering."

The holder of Part 5 Experimental license WD2XDW, Howell who's also GM4DMA, previously operated LF from Alaska. He's since relocated to Oklahoma, and has now resumed his LF work on 137.7752 and 137.7756 kHz. Already he's reporting some spectacular success, despite antenna limitations. On October 28, New Zealand LFer Mike McAlevey, ZL4OL, copied WD2XDW's 137 kHz carrier "bursts" over a path of more than 13,000 km (8000 miles).

The take-away message is that:

In biomedicine, the most meticulous resilience engineering is never a bad idea.

When drug and device manufacturers understand this fully, perhaps we will no longer have incidents of bad health informatics that can kill.

-- SS

Princess Health and Hacking an ICD. Princessiccia

ICD ill-informed management medical devices Medtronic

Gusty 07:35 Add Comment

Implantable cardiac defibrillators (ICDs) are battery-powered, computerized electronic devices implanted in the body. They are designed to detect dangerous heart rhythms and administer a shock to the heart to stop these them. We have discussed these devices before, including a story about how one manufacturer suppressed data that suggested some of their ICDs were less reliable than heretofore thought.

It appears that a new, and potentially worrisome adverse effect of these devices has just been discovered.

An article to be published in the IEEE Symposium on Security and Privacy [Halperin D, Heydt-Benjamin TS, Ransford B et al. Pacemakers and implantable cardiac defibrillators: software radio attacks and zero-power defenses. IEEE Symposium Security Privacy 2008; in press. Link here.] demonstrated the vulnerability of an implantable cardiac defibrillator to computer hacking.

Let me set the stage. ICDs, and other implantable devices may need to be tested, and sometimes their functional parameters need to be adjusted. Obviously, it would be cumbersome and hazardous to remove such a device after it was implanted to check and adjust it. So the devices incorporate methods to check and adjust them remotely. It appears most do so using "wireless" means. Wireless, of course, is the traditional UK term for radio.

Halperin et al found that they could communicate with a representative ICD, the Medtronic Maximo DR VVE-DDDR model via radio. Note that the ICD they tested was not implanted in a patient, but sitting on a bench, and that their radio equipment used to "hack" it was in close proximity to it.

Once they figured out how to communicate, the found that they could:
- Discover patient data such as name, date of birth, medical ID number, and medical history
- Monitor electrophysiological telemetry data
- Turn off specific ICD functions
- Induce the ICD to deliver a shock, potentially one that could cause a severe rhythmn disturbance
- Increase the power consumption of the ICD so that its battery would fail prematurely.

Further, they found that they could overcome a design feature of the ICD meant to prevent anyone from communicating with it from more than a very short distance. The ICD is not supposed to respond to radio signals unless it is first exposed to a strong local magnetic field which triggers a magnetic switch in the device. But the investigators found, "in order to rule out the possibility that proximity of the magnet ... is necessary for the ICD to accept programming commands, we tested each ... attack with and without a magnet near the ICD. In all cases, both scenarios were successful."

Thus, this article suggested this ICD could be hacked, and that hacking it could pose significant risks to patients who had the ICD implanted.

Some people doubted that such hacking could actually take place in real-life, as opposed to laboratory settings. For example, per the AP story, FDA spokesperson Pepper Long "acknowledged a hacker could use specialized software and a small antenna to intercept transmissions from a defibrillator. But she said the chance of that happening � or of a defibrillator being maliciously reprogrammed using a technique similar to the one a doctor would use to program it � was 'remote.'" Furthermore, per the Reuters story, "Medtronic's Rob Clark said the company's devices had carried such telemetry for 30 years with no reported problems. 'This is a very low-risk event for patients that have these devices,' Clark said in a telephone interview."

In my humble opinion, however, the problems that Halperin et al found with the Medtronic ICD have real importance. Let me first note that both the FDA and Medtronic representatives treated the issue epidemiologically. They based their pronouncements on the assumption that an adverse event that has not happened in the past due to a device in wide use is not likely to happen in the future. That does not make sense if the potential adverse event would involve conscious, malicious human action. Just because hackers have not yet attacked an ICD does not mean they will not do so in the future, especially after the possibility of doing so has gotten wide publicity.

Another way some have minimized the practical importance of their findings is that the experiment by Halperin et al was carried out on an ICD on a bench, using equipment that was in close proximity. Some may thus feel that the possibility of hacking carried out from longer range is low. I strongly believe that is not a good assumption. Many features of the ICD and its radio communication system suggest that hacking could be carried out from considerably longer range. There are hints in the Halperin et al article that could suggest to anyone moderately knowledgeable about radio how this could be done. I do not want to discuss these in any more detail, because I do not want to facilitate such long-ranging hacking. But I believe it is a real danger.

But why is this relevant to Health Care Renewal? It seems glaringly obvious that the risk of hacking could have been substantially reduced had the ICD been designed so it would not respond to any radio communication that did not have an appropriate authorization code, and/or if communication with it were encrypted. In fact, Halperin et al suggested some relatively simple measures that could be used to increase the security of these devices. Yet the Medtronic ICD, and presumably other ICDs and implantable devices, were not designed with such elementary security precautions in mind. As security expert Bruce Schneier wrote (reported in Information Week),

Of course, we all know how this happened. It's a story we've seen a zillion times before: The designers didn't think about security, so the design wasn't secure.

But an ICD is a device whose correct operation is critical for the health and safety of patients in whom it is implanted. One would think that the managers responsible for the design of such devices would have pushed to make sure that the operation of such devices could not be hacked or accidentally altered in ways that could put patients' health and lives at risk. The most charitable explanation for why they did not think to do so is that they really did not understand the clinical context in which this device would be used.

This is yet another reminder that those who run health care organizations often fail to think about patients' welfare first instead of other considerations. We need to change the culture of health care organizations to put patients first. Until we do so, we are going to get hacked.

Sunday, 26 June 2005

Princess Health and Now Stuck Switches for Guidant. Princessiccia

Guidant ICD manufacturing problems

Gusty 13:20 Add Comment

The NY Times reported yet another problem with implantable cardiac defibrillators (ICDs) made by Guidant. This time it was a magnetic switch that could become stuck in the "off" position. Apparently, this flaw is not so serious as previous ones (see most recent post here), because it can be fixed without removing the devices. A Guidant consultant suggested that the problem affects about 6000 devices. The models affected were the Contak Renewal 3, Contak Renewal 4, Contak Renewal 3 AVT, Contak Renewal 4 AVT, and Renewal RF. The company "urged doctors ... to stop implanting" the device, but "did not say how it planned to fix the problem, when it expected to do so, or how it would fix units already implanted in patients," according to the Times. Also, "Guidant declined a request to interview its chief executive, Ronald W. Dollens."
Again, one would have hoped that the company could have done better with quality control, given that each of these devices cost about $25,000.

Princess Health and Now Stuck Switches for Guidant.Princessiccia

Guidant ICD manufacturing problems

Gusty 13:20 Add Comment

Monday, 20 June 2005

Princess Health and More Short Circuits for Guidant. Princessiccia

Guidant ICD manufacturing problems

Gusty 06:44 Add Comment

The NY Times reported yet more bad news from the Guidant Corporation. We had previously posted (here) how Guidant had delayed notifiying physicians and patients about the possibility that short-circuits could render one of its models of implantable cardiac defibrillators (ICD), the Prizm 2 DR Model 1861, useless, and then that Guidant had continued to ship the old version of this model from inventory after it had started making a new version less prone to this mode of failure (see post here). Now Guidant is launching a formal recall of 29,000 ICD devices. However, this recall includes two other models of Guidant combinded pacermaker and ICDs, the Contak Renewal and Contak Renewal 2, which Guidant had not previously identified as likely to short circuit. Furthermore, it appears that Guidant delayed notifying doctors and patients about the possibility that these models might fail until now, and that Guidant continued to ship older versions of these two models from inventory even after it began manufacturing newer versions that were designed not to short-circuit.
Again, to make the best possible decisions for individual patients, patients and physicians deserve to hear about problems with devices and drugs as soon as reliable information about them is available.

Princess Health and More Short Circuits for Guidant.Princessiccia

Guidant ICD manufacturing problems

Gusty 06:44 Add Comment

Wednesday, 15 June 2005

Princess Health and No Federal Standards for Reporting Flawed Medical Devices. Princessiccia

Guidant ICD manufacturing problems

Gusty 12:53 Add Comment

The NY Times reported about recent recalls of implanted cardiac devices. One important point the reporter made was that so far the US Food and Drug Administration (FDA) has no uniform standards for notification of physicians when problems are found with implantable devices. Currently, it is up to the device manufacturer to decide when to report problems. Apparently, it is acceptable for the manufacturer to "consider potential loss of business to competitors and legal liability" when making such decisions.
The results of this lack of standards include the decision by Guidant to delay reporting of short-circuits in one model of implantable cardiac defibrillator (ICD). (See previous post here.) Guidant had judged that replacing such defibrillators would "unnecessarily" expose patients to surgical risks. Thus, Guidant justified its decision to withhold information about the possibility of ICD failure, apparently based on a judgment that the reduction in possible benefit due to ICD failure was less important to patients than the risks of ICD replacement.
But by withholding information about ICD reliability, Guidant seemed to be substituting its judgments about how to balance benefits and harms for those made by patients and doctors. As Dr. Eric N. Prystowsky said, "You are not my father. You are not my mother. You are just a company selling products. You have to let me make these decisions."

Princess Health and No Federal Standards for Reporting Flawed Medical Devices.Princessiccia

Guidant ICD manufacturing problems

Gusty 12:53 Add Comment

Friday, 3 June 2005

Princess Health and Guidant's Short Circuit, Reloaded. Princessiccia

Guidant ICD manufacturing problems

Gusty 06:02 Add Comment

The NY Times reported that after Guidant discovered a defect in its implantable cardiac defibrillator (ICD) that allowed the device to short-circuit and fail, it continued to ship ICDs with the defect even after it had started manufacturing redesigned devices without the flaw.
Our post about the discovery of the flaw is here.
Guidant's statement about the matter was, "After making these improvements, Guidant sold product manufactured before the improvements because the reliability data showed that the original PRIZM 2 DR, like the enhanced version, was a highly reliable life-saving device. Current data continues to support the reliability of the product."
The Times reported, "some doctors said they would be dismayed if the company allowed them to implant a device with a known flaw that had been corrected in other units."
As I said before, the decision about how to treat a patient's illness should be up to the doctor and patient, and be based on the best available data, as well as the patient's values. For a company to withold data relevant to the decision, which just happens to be unfavorable to the company's product, is plain wrong.

Princess Health and Guidant's Short Circuit, Reloaded.Princessiccia

Guidant ICD manufacturing problems

Gusty 06:02 Add Comment

Tuesday, 24 May 2005

Princess Health and Guideant's Short Circuit. Princessiccia

Guidant ICD manufacturing problems

Gusty 14:03 Add Comment

The New York Times reports yet another story of flawed implantable cardiac defibrillators (ICDs). This time, Guidant Corporation revealed that its ICDs manufactured from 2000 to 2002, can short circuit, fail, and thus become unable to prevent cardiac arrhythmias. Guidant corrected the design flaw that allowed these failures to occur in ICDs manufactured after mid-2002.
However, it only got around to notifying physicians and the public about the problem recently, after the company was informed that the Times was working on an article about the problem. The company's argument was that short-circuits are rare: only 25 cases of short-circuts are known. Furthermore, replacing the ICD requires an invasive procedure, and hence is not risk-free.
However, doctors and patients ought be able to decide about whether to take this risk, based on full disclosure of the relevant data.
This is the third problem with ICDs that has appeared in this blog. The others involved problems in devices manufactured by Access Cardiosystems, and by Medtronic.
The NY Times article notes that ICDs cost about $25,000 a piece, and that Guidant sold about $1.9 billion worth last year. Given the low cost of very sophisticated modern electronics, this unit price seems very high. IT should at least buy unimpeachable reliability. Why managed care has not been able to bargain down the prices of such devices remains an open question. But meanwhile they surely account for some of the seemingly inexorable rise of health care costs.
But regardless of what $25,000 ought to buy, there seems to be no good excuse to hide data about this device's flaws from the public and from doctors.