You’d have to be pretty heartless to mess with another human’s pacemaker.
According to a recent study, implantable medical devices from four major manufacturers contain security weaknesses that open the door to particularly malicious hackers.
Medical device security consultancy WhiteScope last week reported a whopping 8,000-plus known vulnerabilities in four different physician programmers from four different manufacturers.
Intended for use by trained medical professionals in the operating room or doctor’s office, programmers allow the practitioner to test pacemaker functionality and set parameters over a wireless connection.
The “controlled” machines are meant to be returned to the manufacturer after use by a hospital. But WhiteScope managed to find about seven on public auction site eBay, selling for $500 to $3,000.
Snagging a handful for research purposes, the company booted directly into the programming software; no login or password needed.
“Pacemaker programmers do not authenticate to pacemaker devices,” WhiteScope founder Billy Rios wrote in a blog entry, lamenting the ease with which an attacker can remotely tamper with the technology.
The company twice confirmed patient data was stored unencrypted on a programmer; in one instance, analysts discovered decoded names, phone numbers, social security details, and medical data belonging to a “well-known hospital on the east coast.”
“Keeping devices fully patched and updated continues to be a challenge,” Rios said. “Despite efforts from the [Food and Drug Administration] to streamline routine cyber security updates, all programmers we examined had outdated software with known vulnerabilities”—more than 8,000, in fact.
For a closer look at WhiteScope’s findings, check out the full paper online.
Concerned for the “overall confidentiality, integrity and availability” of the pacemaker ecosystem, the company suggests vendors perform an “in-depth and holistic evaluation of implemented security controls.”
“By ensuring appropriate security controls are implemented, vendors can help protect against potential system compromises that may have implications to patient care,” WhiteScope said.
Dont forget to “Like” us on Facebook
Need something to share, visit our sister site for the
‘News in the last 30 days”
in a clear concise package ….