Somebody’s Watching You: The Security Risks of Pacemaker Technology

February 8, 2017

From Amazon’s helpful electronic assistant Alexa to televisions that track viewer preferences, these days people surround themselves with devices that continuously record information about their users. Even medical devices, like Pacemakers, are more frequently being offered with built-in network capability, creating an expansive Internet of Things that simultaneously increases efficiency and vulnerability for those that utilize the technologies.
Pacemakers are designed to keep individuals’ heart rates in a steady, normal rhythm. While they started as relatively simple devices designed to target arrhythmias, the newer, more advanced pacemakers can now record and process biological information such as the device wearer’s breathing patterns and blood temperature and adjust the individual’s heart rate accordingly. There are even apps that have been created to allow patients to send the data from their pacemakers to their physicians so that they don’t have to physically visit a doctor in order to have their data analyzed for potential issues.
The advanced monitoring technology of the new wave of pacemakers often increases patient health and safety, but such advancements come with potential risks, as well. As George Orwell and many other authors have expounded on in their novels, constant monitoring can easily lead to the collected data being used against someone just as easily as it can be used for their benefit. One man in Ohio learned this lesson the hard way when police were able to use the data from his pacemaker to combat his alibi and indict him on charges of arson.
When his home burned down in September, Ross Compton told the authorities that he’d been inside his house when it had caught on fire and that he had escaped by breaking a window and climbing out of it with several bags in tow. Investigators, however, were not convinced that a man who had such serious heart problems as Compton could complete such an escape. This suspicion combined with several other details that didn’t fit Compton’s story led police to seek and obtain a warrant for the data collected by his pacemaker. The data showing Compton’s “heart rate, pacer demand and cardiac rhythms”, according to a cardiologist, revealed that it was “highly improbable” that Compton had actually escaped in the manner he told the police he had. This information combined with the cardiologist’s assessment assisted the prosecutor in bringing an indictment against Compton for felony aggravated arson and insurance fraud.
Like Compton, many people who have medical devices, such as pacemakers, implanted in their bodies run the risk of having the data used against them in an investigation or in other ways. Focused on optimizing the devices’ medical purposes, pacemaker creators don’t design the devices with the principle of least privilege (the idea that a device or module should only have access to information necessary for its legitimate purpose) in mind. This means that, while police can access the pacemaker data for important evidential purposes, hackers can also access the devices and control how they function, allowing for the possibility of an individual to physically harm someone without ever having actual contact with the person.
In order to prevent such crimes from occurring and in order to boost the security of individual privacy, it is important that medical technology creators consider the security of their designs.

Ultimately, people rely on these devices to keep them healthy and alive and they often have little choice but to willingly allow the pacemakers to be implanted in their bodies, yet in doing so they open themselves up to being constantly monitored by technology that isn’t designed to be secure in terms of privacy.

Until the principle of least privilege is taken into consideration in the design of the day to day devices that make up the Internet of Things, we must always be aware of the fact that our convenient devices that allow us to live comfortably are gold mines of personal information that could easily lead to serious ramifications. Just ask Ross Compton.