Pacemaker Security. PHOTO: Cybercrime Magazine.

Cybersecurity Guidance For Heart Patients With Pacemakers

Dr. Marie Moe on vulnerabilities in medical IoT devices

Amanda Glassner

Northport, N.Y. – Feb. 15, 2021

Pacemakers are state-of-the-art technology, but they are not exempt from the dangers of being connected to the internet. Heart patients may be at the mercy of a frightening enemy: hackers.

Thriving on unsuspecting victims, hackers can smell blood, even when it’s on silicon. Cybercriminals rarely lose their battles, but Dr. Marie Moe is a force to be reckoned with.

Determined not to be defibrillated, Dr. Moe quickly made a name for herself in the information security industry. An advanced cryptographer, she was soaring to professional success in 2011. But one day, on the way to work, her heart nearly gave out and she fell unconscious.

After a series of tests, doctors discovered a cardiac arrhythmia. In the hours that followed, Dr. Moe had a pacemaker implanted beneath her skin. Though she did not know it at the time, this was a life-changing event that would lead to some of the most prolific research of her career.

Adjusting to a life dependent on the device inside her chest, she wondered … What would happen if someone hacked it?

Dr. Moe founded the Pacemaker Hacking Project in 2015. This groundbreaking study filled a gaping hole in the industry, which was discovered through her many years of research which yield alarmingly few results.

“I never thought that something as intimate as an implanted cardiac device could be connected to the internet,” said the scientist in an interview on Cybercrime Magazine’s podcast. “My body, in a way, could be connected to the internet, and as a security researcher, this made me a bit worried.”

“Can hackers break my heart?” Dr. Moe famously asked a riveted audience while she was on stage for a 2016 Tedx talk. In the following months, she spoke of her team’s studies at several field events, which garnered abundant media attention.

Later that year, Dr. Moe’s findings were published. These profound insights detailed five vulnerabilities in medical IoT devices, all of which are covered in the blog post, “Uncovering vulnerabilities in pacemakers.”

If you live with one of these devices, don’t panic. Your body isn’t about to be hacked into from the other side of the world, as scary as that sounds. One of the most pertinent discoveries of this research concluded that in order to be hacked, the criminal needs to have had physical access to your equipment.

Dr. Moe has received a multitude of recognition for her work. Further, the FDA has since released guidelines on cybersecurity for medical devices. And, perhaps most importantly, vendors have taken initiative to give their customers what they desire most: a beating heart that even the most advanced hacker cannot break.

For anyone with a pacemaker, it is still worth conducting some of your own research.

In 2008, a University of Massachusetts Amherst researcher, Kevin E. Fu, showed that an implantable heart defibrillator is vulnerable to hacking. Fu’s research was aimed at helping to protect the next generation of internet-connected medical devices.

Researchers at a 2018 security conference demonstrated a then new pacemaker hacking technique capable of adding or withholding shocks at will.

Fu, a pioneer in medical device cybersecurity, recently joined the U.S. Food and Drug Administration (FDA) as expert-in-residence and acting director of medical device cybersecurity, a one-year position within the Center for Devices and Radiological Health (CDRH).

– Amanda Glassner is a staff writer and reporter at Cybercrime Magazine.

Go here to read all of my blogs and articles covering cybersecurity. Go here to send me story tips, feedback and suggestions.