The vulnerability of medical devices to be hacked is nothing new. But picking up on news reports from the Black Hat security event that took place in Las Vegas at the beginning of August, it seems that these concerns continue to be top of the agenda where products such as pacemakers and implantable devices, are concerned.
The findings were brought to the fore by security experts, Jonathan Butts, QED Secure Solution, and Billy Rios, WhiteScope, during their presentation, Understanding and Exploiting Implanted Medical Devices. While acknowledging that benefits of these devices often outweigh the risks, the pair’s findings have been picked up on a global scale to highlight the need for increased work in this area.
Security Boulevard writer, Haidee LeClair, explained: “But there are still plenty of vulnerabilities out there, as well as—at least in some cases, according to Butts and Rios—resistance to acknowledging them and making necessary fixes.
“The two demonstrated that some devices they tested, including infusion pumps, pacemakers, and patient monitoring systems, had vulnerabilities that they found relatively easy to exploit remotely.”
While LeClair reports that “[Rios and Butts] have reported 500 advisories to vendors. Most have been cooperative and worked with them on both “coordinated disclosure” of problems and fixing those problems.
“But they unloaded on one vendor—Medtronic, whom they said was both uncooperative and unresponsive. They said 18 months after they disclosed vulnerabilities in devices made by the company, there had been one patch but no real fix, and not even an acknowledgment that a fix was needed.”
In the UK, the Guardian reported that Butts and Rios had actually demonstrated how an implantable insulin pump could be hacked: “To take control of the pacemaker, Rios and Butts went up the chain, hacking the system that a doctor would use to program a patient’s pacemaker”.
It’s a worrying scenario but unfortunately one which we are used to reading in the medical device sector.
According to the Guardian Butts and Rios contacted Medtronic over a year ago with their concerns. “In its cybersecurity alerts, the company said the attacks weren’t possible remotely, and failed to fully explain how wide-ranging the weaknesses were. A bulletin warning about the weakness that Rios and Butts used to reprogram the pacemaker, for instance, said only that an attacker ‘could influence’ the data sent to its software update system,” reported the newspaper.
MPN contacted Medtronic for a comment. The company said:
“Medtronic emphasizes the safety of its products. Product safety and quality are top priorities for Medtronic, and we have a strong product security program that leverages internal and external security and medical device experts, rigorous development processes and current practices to enable security and usability. We are, and continue to be, committed to delivering safe and effective devices to address our patients’ therapeutic conditions.
It’s important to note, however, that the likelihood of a breach of a patient’s device is low, and we are not aware of any security breaches involving patients with our medical devices. All medical devices carry some associated risk, and, like the regulators, we continuously strive to balance the risks against the benefits our devices provide.
Additionally, we value collaboration and transparency with industry partners and the regulatory community, and we support FDA guidance on these matters. Medtronic is committed to a robust, coordinated disclosure process and takes seriously all potential cybersecurity vulnerabilities in our products and systems, and we consistently seek to improve these processes, in terms of our technical evaluation, required remediation and speed of disclosure. We follow formal processes, as required by the FDA and other regulators, for evaluating and mitigating the risks associated with all cybersecurity vulnerabilities.
In the past, WhiteScope, LLC has identified potential vulnerabilities which we have assessed independently and also issued related notifications. We are not aware of any additional vulnerabilities they have identified at this time.”
Earlier this year the FDA announced plans to enhance medical device safety. Its policies used real world evidence to create a framework for digital health devices.
Speaking about the decision, FDA commissioner Scott Gottlieb, said: “All medical devices have benefits and risks. And some of these risks are better understood once the device is more widely distributed and used under real-world conditions, in broader patient populations, and by a broader range of clinicians. Our aim is to ensure not only that devices meet the gold standard for getting to market, but also that they continue to meet this standard as we get more data about devices and learn more about their benefit-risk profile in real world clinical settings.”
One of the FDA’s key aims is to increase its understanding of cyber-security issues related to medical devices.