It’s the nightmare scenario: A hacker who is able to remotely access your pacemaker — and shut it off.

Pacemakers are programmed via wireless connections with a computer. That reliance on wireless signals, however, leaves pacemakers vulnerable to attack by hackers, who could drain the device battery and turn off therapies.

The health care industry is increasingly employing wireless devices like pacemakers, which fall into the growing category of mobile commerce, or m-commerce — technology that exchanges  or transmits information using mobile devices. Recent m-commerce innovations such as virtual doctor visits and the possibility of MRI scans by cell phone evoke the type of medical care the Jetsons might have enjoyed.

“M-commerce is changing the face of health care,” said Linda Golden, McCombs School marketing professor, in a presentation at the April 2012 McCombs Health Care Symposium. “We're using a lot of wireless devices now — the smartphones, the tablets — to administer, analyze, understand [and] explore what's going on with our consumer, the patient. This is disseminating and coordinating patient care and progress electronically.”

But health care professionals and their patients must guard against the dangers inherent in m-commerce, she warns. Those threats range from doctors who lose iPhones and other mobile devices containing patients’ personal data to hackers potentially killing patients who rely on implanted devices, such as pacemakers or glucose infusion devices.

Golden says hospitals should be doing more to keep patients safe. “This is pretty new technology and we're just learning about all the risks,” she said.

M-commerce in Health Care

Doctors and health care providers aren’t the only ones using m-commerce each time they pick up a wireless device; patients are also employing the technology. Smart phone applications enable the convenient refill of prescriptions or quick access to poison control centers in an emergency. And patients in living in rural areas or travelling abroad can get questions answered during virtual doctor visits, while stroke victims can be helped remotely by the Microsoft Kinect gaming device without having to visit a doctor’s office — all thanks to technological innovations being used in m-commerce.

The technology is catching on in a big way. According to a December 2011 study by the Ponemon Institute, which conducts independent research on privacy, data protection and information security policy, 81 percent of health care organizations reported using mobile devices to collect, store and/or transmit some form of patient information. Meanwhile, an annual research study by health care market research and advisory firm Manhattan Research indicates that in 2012, 85 percent of physicians own or use a smart phone for professional purposes, up from 81 percent in 2011.

Dangers of M-commerce

But there’s a danger for any health care–related m-commerce: In Ponemon’s 2011 study, data breaches were shown to have increased 32 percent from 2010, with 96 percent of health care providers admitting to having experienced at least one data breach in the past two years. Unfortunately, the increase in breaches hasn’t led to more or better precautions. In fact, 49 percent of respondents said their organizations do nothing to protect mobile devices. Even the simple act of misplacing a mobile device can be reason for serious worry.

“Two million smart phones are lost every year,” Golden said in her symposium presentation. “If the health care provider's phone is lost, think of all the information that can be on it.” Patient information, such as Social Security numbers, addresses, and dates of birth, can enable thieves to fraudulently obtain medical care or to create fake insurance claims to collect the proceeds.

Wireless transmissions can also be intercepted. Golden notes that in general, since the networks mobile devices use for transmission are less secure, information can become more susceptible to hackers or renegade health care employees. Even when security tools are enabled for mobile devices, they don’t guarantee protection.

“Even encrypted [information] can be unencrypted by people who know what they're doing,” Golden said.  

On the more extreme end of the spectrum, medical devices that use wireless signals could put patients’ lives at risk. For example, Golden and graduate student Ilya Dayter point to research during 2008 in which two independent groups showed how a defibrillator can be attacked wirelessly. Within inches of the device, a combination heart defibrillator and pacemaker, researchers were able to reprogram it to shut down and deliver potentially fatal jolts of electricity, according to the New York Times.

What’s more, in Las Vegas at the 2011 Black Hat Technical Security Conference, an information security event for industry professionals, then-senior threat intelligence analyst (and diabetic) Jerome Radcliffe showed how it was possible to take control of his insulin pump, which uses a special remote to administer his insulin, through an easily obtained USB device coupled with his ability to eavesdrop on computer traffic.

“He didn’t obviously show the total damage because he would kill himself, but he showed how easy it was to hack into one of the devices,” Dayter said in an interview following the health care symposium.  

Dayter says that because implantable medical devices are so small, it is difficult to add additional security features to prevent such hackings. That said, there are no confirmed cases of patients being hacked to death — so far.

Protecting Health Care Data

Golden and Dayter encourage patients to take steps to protect themselves:

• Ask about your doctor’s mobile devices. Dayter recommends patients ask their doctor if mobile devices, such as smart phones and iPads, are used for patient reviews and accessing medical records. If so, the doctor’s mobile devices should be encrypted. Ask your doctor specifically, “Are your mobile devices encrypted?” Dayter said.
• Find out if your hospital offers post-identity theft protection. Just don’t be surprised if the answer is “no.” Although 90 percent of health care organizations told Ponemon that data breaches cause harm to patients, most (65 percent) offer no protection services to affected patients.
• Check your credit reports. Since victims of identity theft may not realize their information has been compromised, by regularly reviewing bills and consumer credit reports, patients may spot any accounts fraudulently charged or opened in their names.

Of course, patients shouldn’t be expected to do all the work.

“As m-commerce becomes more and more useful to the health care professional, as it will be and should be, there's a flip side of it that requires a focus on risk management,” Golden said in her presentation. “Not only are there financial implications, but there are life-threatening implications. Health professionals are in the business of protecting lives and this is one thing that needs to be focused on to do so.”