‘He’s remote controlling my heart’: Can cyberhackers really hack into implanted heart devices?

Scott Tanner will talk seriously about the cars he sells all day, but if you ask him about the surgically implanted battery-powered defibrillator in his chest--which could prevent a heart attack: “I always say that I can set off every garage door in the county when I drive by,” Tanner said, believing that laughter is the best medicine for his heart.

The device monitors Tanner’s heart rate around the clock. It’s connected to a monitor, which is connected to the internet. The system can also jumpstart his heart with electrical pulses, to save his life in an emergency.

“It would give me a zap and a jolt to calm that down and bring it back down to normal levels,” he said.

But when Tanner’s doctors tested the newly implanted device, he says they were able remotely increase his heart rate, and that sent his mind racing.

“My body feels like I’m going up and down stairs. I’m running a marathon. I mean, it’s a good workout, even though you’re sitting there,” Tanner said. “He’s remotely controlling your heart.”

The remote-control ability sent Tanner’s mind racing, along with his heartrate.

“If they could do that on a computer, if a hacker actually got control of a system, they could demand money, they could demand whatever. And I thought it was actually a good idea for a movie.”

If it sounds like the stuff of spy movies--Hollywood has already hacked the idea, but more about that later. When Tanner asked his doctor about the movie plot, what he heard disturbed him.

“100%. They thought it was possible,” Tanner said.

There have been multiple published government warnings over the last ten years about the same concerns, including one from the FDA and the National Library of Medicine saying some implanted defibrillators were vulnerable to hackers who could hijack the devices and could even change their settings.

Another cardiologist warning said although there were no documented reports of remote heart hacks happening it warned: “..the threat is real. It is essential to be well prepared for this potential but serious threat.”

Cybersecurity researcher Dr. Marie Moe was able to hack into her own implanted heart pacemaker, to show the manufacturers of the devices how vulnerable they could potentially be to cyberattacks.

“A hacker could potentially take over communication to the medical device, could switch it off, make it malfunction,” she warned.

On CBS’s 60 Minutes, Vice President Dick Cheney’s cardiologist said when Cheney’s implanted defibrillator needed to be replaced, his doctor disconnected the device’s wireless connectivity, fearing an assassin could hack into it, and shock his heart into cardiac arrest.

“It seemed to me to be a bad idea for the vice President of the United States to have a device that -- maybe someone on a rope line or someone in the next hotel room or downstairs might be able to hack into, and I worried someone could kill (him.)

Several years later, that scenario became the exact plot in the Showtime drama “Homeland.” A hacker taked control of the defibrillator implanted in the fictional Vice President and stops his heart. Dick Cheney saw this episode.

“It was an accurate portrayal of what was possible,” Cheney told 60 Minutes.

We asked renowned cybersecurity expert Christopher Budd, director of Sophos X-Ops if hacking a specific device is possible.

“Is it possible? Yes. Is it probable, right now, no,” Budd said.

Budd believes most hackers are looking for easier, more rewarding targets to attack, like private healthcare information, which they can sell. But he says no wirelessly connected implanted device or network can ever be made completely secure to hacking.

“As soon as you plug anything into the internet, the threat profile for it increases substantially,” he said.

Budd said cyber security as an industry is looking for weaknesses in the devices, the same way a hacker would.

“Within the security industry there’s a whole process in place for looking for, identifying and fixing flaws that can lead to hacking,” he said.

Medical devices have been targets of hacking attempts for over a decade, physicians note in in the Journal of the American College of Cardiology. The fact that most of the devices using wireless communications to communicate heart data through networks has created a risk that hackers could potentially reprogram devices to make them give false readings, interrupt the relay of communications needed for doctors to monitor their patients remotely, or even drain the device’s batteries.

Which brings us back to Scott Tanner, who says as he sells cars by day, he forgets about the life saving device silently sending his heart info to computers and doctors around the clock.

“Eventually you have to trust,” Tanner said. “And you pray and hope that the firewalls are there.”