Here’s something nobody has ever been able to tell me:
Do wandless ICDs (implantable cardioverter-defibrillators) employ any kind of encryption?
As far as I can tell, the answer is no.
Let me give you a little background. At the last Heart Rhythm Scientific Sessions (2005, in New Orleans) most of the big ICD companies were showing off their wonderful new “wandless telemetry” systems. Historically, ICDs have been programmed (after implantation) and interrogated with some variety of inductive communication. This was done by placing a “wand” over the part of the patient’s body where the device was implanted and then initiating communication. It has a short range, around a few inches. Device companies have begun to use radio-frequency (RF) communication instead, which has a longer range, something on the order of feet or meters.
This is a big problem.
Not one person I’ve asked (admittedly, sales people for the most part) has been able to tell me if the new RF (a.k.a wandless) telemetry communication is encrypted. I did some patent searching at uspto.gov, and found that no patents have been granted on anything like this yet. However, Medtronic did apply for a patent in September 2005. As the patent application says in its background, “With the advent of long range telemetry of messages, and the associated increase in communication range, the risk that a message can be compromised is increased. For example, a replay attack can be launched in which a message, or a piece of a message, can be captured and then maliciously used at a later time.”
So it does appear that someone is thinking about this. Most people don’t really think about or understand encryption, even technically-inclined people like medical device engineers.
Do you know anything about this? Do you know someone who might?
MDT just held a seminar on encryption methods for implantable devices with telemetry capabilities. It is something that is being incorporated into our devics especially with the new carelink system where patients data is received by units that can then transmit the data over phone lines / internet to carelink centers to monitor devices and get status checks.
The above is my personal opinions and I do not speak for Medtronic in any official capacity.
Pingback: Pacemakers Hacked