My friend Haym Hirsh, a computer science professor at Rutgers, e-mails:
It turns out that you can reverse engineer a pacemaker with sufficient accuracy that you can broadcast radio signals to it to induce various undesirable actions, such as broadcasting the pacemakers existence (including model and serial number), broadcasting personal information such as the patient’s name, disclosing cardiac data recorded by the device, changing the patients name, changing therapies, and inducing fibrillation (!). You can also perform a “denial of service” attack on it. All were done via radio. See http://blogs.zdnet.com/BTL/?p=8218 for a high-level description, http://www.secure-medicine.org/icd-study/icd-study.pdf for technical details. Not a new story — it was out last year — but new to me.