Of fact,fiction and Cheneys defibrillator

In a chilling episode of Homeland last year,a terrorist killed the vice-president with a fiendishly clever weapon: a remote-control device that attacked the computerised defibrillator implanted in his chest.

For former vice-president Dick Cheney,it was all too realistic.

Cheney,who had heart disease for decades before receiving a transplant last year,had such an implant to regulate his heart rate and shock his heart back into life,if necessary. The defibrillator could be reprogrammed wirelessly from a short distance away. In 2007,he had the wireless feature disabled.

About the Homeland scenario,Cheney said on the October 20 episode of 60 Minutes on CBS: I found it credible. It was an accurate portrayal of what was possible.

But was it really? Medical experts say the answers are surprisingly complicated.

Cheneys cardiologist,Dr Jonathan Reiner of George Washington University,said in the 60 Minutes interview that he agreed with his patient.

An assassin on a rope line or in a hotel room next door could have instructed the defibrillator to kill Cheney,he said,adding that a wireless programmable device seemed to me a bad idea for the vice-president of the United States.

Other experts say the scenario is highly unlikely,though they couch their answers carefully.

The devices,used by millions of Americans,transmit data from a patients home to a doctors office,alerting the doctor of a malfunction. But the communication goes only one way; the devices being used today cannot be reprogrammed remotely.

Instead,patients must go to a doctors office. With some devices,they must be within inches of the reprogramming machine. Others can be reprogrammed from about 30 feet away,but a wand must be held close to patients collarbones to identify them to the machine.

My opinion is that it is probably unlikely that a remote attack of this nature could happen today, said Kevin Fu,a University of Michigan expert on computer security.

But he emphasised the word probably,adding that he would never say something is impossible. There can always be a flaw we are unaware of, he said.

In fact,a precedent for the Homeland episode was a 2008 paper by Fu and others,who reported they had managed to change the settings on an implantable defibrillator so it would release deadly electric shocks. Of course,Fu noted,the experiment required almost a dozen people in a lab full of PhDs. And investigators had to be as close as two inches from the defibrillator.

Still,the experiment became known as a proof of principle. It originated a decade ago,when Fu noticed that the Food and Drug Administration had issued a recall for software on an implanted heart device. He began to wonder about software updates and the security of medical devices. So he started calling cardiologists,trying to get more information.

Many hung up on him,Fu said,adding,They thought I was crazy to worry about the security of a device in the chest.

Finally,he got together with a colleague,Tadayoshi Kohno,a computer security researcher at the University of Washington. The two investigators and their colleagues set to work seeing if they could breach the security of a defibrillator that had been removed from a patients chest.

The defibrillator and the device used to programme it communicated in their own language from a distance no greater than a few inches,Kohno said. The group figured out the language by turning various therapy commands on and off. After they learned the communication language,we could generate the commands ourselves.

At that time,security was not on the radar yet for medical devices,Fu said. But there was a rapid trend toward wireless communication and Internet connectivity. We definitely raised awareness.

He immediately heard from the device industry group,the Advanced Medical Technology Association,or AdvaMed,which invited Fu and Kohno to speak to its pacemaker working group,a small meeting where members discuss policy issues. Now,the device manufacturers are acutely aware of security issues,said Bernie Liebler,a director in the groups technology and regulatory affairs department.

Cardiologists have noticed a change.

Over the years,manufacturers have added features that make it harder and harder to get into the software, said Dr Spencer Rosero,of the University of Rochester Medical Center.

The identifying wand is one such feature,said Dr Arthur Moss,a cardiologist also at the University of Rochester.

So far,though,there has never been a reported case of anyone maliciously reprogramming a patients implanted defibrillator,Fu said. Today,he and others said,the real risk with electronic medical devices is much more mundane. It is the accidental introduction of the disruptive software called malware. NYT