Is your defibrillator at risk of being hacked?

Monday, February 06, 2017

Defibrillators Hacked?

Making for scary headlines everywhere is the announcement from the US Federal and Drug Administration that weaknesses have been found in some cardiac devices, making it possible for a hacker to remotely access the device and cause it to function incorrectly - potentially causing fatalities. But what are the facts?

  • Automated External Defibrillators such as our range of Heartsine AEDs are completely unaffected.
  • This announcement is only relevant to Internal Defibrillators and Pacemakers.
  • Only devices fitted with wireless communications are vulnerable to this attack.
  • Successful hacking has so far been limited entirely to security firms aiming to fix any vulnerabilities they can find in order to make these devices safer.

Internal defibrillators and pacemakers developed in recent years are frequently built with wireless communications access (similar to Wi-Fi and Bluetooth) to allow medical professionals to remotely monitor the device, download performance data and make adjustments. For example, pacemakers implanted into younger patients often need reconfiguring throughout the first few months to allow the device to recognise and respond correctly to the patients more physically active lifestyle than it's default settings are prepared for. Being able to make these adjustments without surgery has obvious health benefits.

Unfortunately, this means there is also a potential that a highly skilled hacker could gain access to the device via the same means, and make changes to the internal defibrillator/internal pacemaker and cause serious harm to the patient.

In reality, such hacking has to date only been successfully done by security firms attempting to find vulnerabilities in these devices, with the specific aim of improving their security and prevent malicious hackers from gaining access. The recent headlines are for one manufacturer in particular, but the potential for hacking similar internal devices with wireless communication has been known and studied for quite some time, and this research does occasionally make for dramatic headlines in the news.

You can read the full announcement from the FDA, and while it intentionally makes for sobering reading, the FDA stresses in the report that:

"There have been no reports of patient harm related to these cybersecurity vulnerabilities"

The announcement details that the manufacturer in this specific case has already created a fix for the issue, and outlines what steps you need to take to ensure the fix reaches affected devices.

Our Products

PAD 500P Defibrillator with CPR Advisor

PAD 350P Semi Automatic Defibrillator

PAD 360P Fully Automatic Defibrillator

Secure AED Cabinet
Fully Featured