The debate about security issues surrounding implantable medical devices has taken center stage once again. This is after researchers published a paper detailing critical vulnerabilities in pacemakers developed by top manufacturers.
Cyber security firms are always improving security systems and software in efforts to protect devices from hackers and vulnerabilities.
However, critical medical devices such as pacemakers and insulin pumps continue to exhibit vulnerabilities that can be exploited.
Security researchers Jonathan Butts and Billy Rios from White Scope IO documented their analysis of vulnerabilities within four different pacemaker manufacturers.
Pacemakers are small electrical cardiac devices that are surgically implanted on patients’ chests to regulate abnormal heart rhythms.
Physicians and technicians can update these devices in close proximity or remotely. According to the researchers, the vulnerabilities lie in the pacemaker programmers.
The pacemaker ecosystem comprises of four key components: the implantable device, the programmers, the home monitoring equipment and the cloud-based patient-doctor network.
These components operate in tandem to provide the necessary therapy to the patient.
Pacemaker programmers are devices that are used to monitor how the system is functioning and how to also set treatment parameters.
The research team investigated seven programmers from the four vendors and found that they utilized more than 300 third party libraries.
And 174 of these libraries have been known to possess more than 8,600 vulnerabilities that can easily be exploited by malicious actors.
The vulnerabilities are a result of programmers running outdated software. This is despite efforts by the Food and Drug Administration (FDA) to ensure uniform cyber security updates.
Researchers placed the blame for the vulnerabilities on an inability of the pacemaker ecosystem to keep the system updated.
In a blog post, the pair of researchers stated that all the top vendors were equally rated in terms of software update mechanisms. This news is concerning since it highlights an industry-wide problem in a sector where human lives are at stake.
A large percentage of the analyzed programmers utilized software running on Windows XP and had well-known vulnerabilities. Another key problem that the research noted involved the authentication framework of pacemakers.
They did not require physicians to authenticate to the programmer. The programmers also did not require authentication to the devices themselves.
This means that any pacemaker can be reprogrammed by any programmer from the same vendor, which is one of the major vulnerabilities.
The programmers investigated by the researchers booted directly to the programming software without authentication. If hackers were to get their hands on an external monitoring device, they could potentially be able to alter the therapy provided by the implantable medical device. These vulnerabilities highlight the rift between patient care and cybersecurity.
Matthew Green, an assistant professor of computer science at Johns Hopkins, shed more light on the basis of this rift. He stated that physicians are not ready to let security systems affect patient care.
Medical staff generally want to avoid the situation whereby they are forced to input credentials in emergency situations. It seems like the lack of a framework to address the conundrum about these vulnerabilities could place the lives of numerous patients at risk if health care provision and cyber security remain at loggerheads.
The distribution of pacemakers was also a concerning discovery. The manufacturers are supposed to carefully control the distribution of programmers for a need to avoid all the vulnerabilities.
After hospitals have used the devices, they are supposed to be returned to the manufacturers. However, the researchers were able to obtain all the components they tested for an online auction site.
According to the research, pacemakers can be purchased at anywhere between $200 and $3,000, home monitoring equipment from $15 to $300 and the programmers from $500 to $3,000.
Aside from the vulnerabilities, the research team also discovered that some programmers contained unencrypted patient data. The data includes names, medical information, phone numbers and Social Security Numbers (SSNs). The identity of the hospital to which the patient data belonged was undisclosed.
Rios and Butts stated that it is a well-known hospital and the relevant agencies have been briefed on the discovery.
The collection of the vulnerabilities discovered in the analyzed pacemakers includes unsecure external USB connections, hardcoded credentials, lack of encrypted firmware updates, universal authentication token and firmware mapping failure.
White Scope has informed the Industrial Control Systems Cyber Emergency Response Team (ICS – CERT) and the pacemaker vendors are expected to address the vulnerabilities.