Security researchers uncovered over 8,600 vulnerabilities in pacemaker systems and the third-party libraries used to power various components.
Seven different pacemaker programmers from four different manufacturers were audited, which resulted in the discovery of vulnerabilities associated with outdated libraries that are used for the software of pacemaker programmers. Most of these pacemaker systems have similar architectures that included the actual implanted medical device, a home monitoring device, a cloud-based infrastructure that relayed data to a physician, and a pacemaker programmer.
The US Food and Drug Administration acknowledges the risk:
“In today’s world of medical devices that are connected to a hospital’s network or even a patient’s own Internet service at home, we see significant technological advances in patient care and, at the same time, an increase in the risk of cybersecurity breaches that could affect a device’s performance and functionality.”
Much has been said about the cyberattacks against the healthcare industry regarding data breaches, ransomware attacks, and identity theft, but fewer details were discussed regarding the safety of medical devices. Now that technical advances have resulted in transformations in health care delivery, interconnectivity leaves medical devices vulnerable to security breaches.
Circa 2011 in Las Vegas, a man’s life was put in danger when the insulin pump that was affixed to his abdomen by a thin tube was hacked and completely disabled.
Medical-device manufacturers may need to evaluate their respective implementations, and validate that effective security controls are in place to prevent deficiencies.