The more of our lives are wired, the more they become vulnerable to things like software glitches and hackers. That includes pieces of technology we put in our bodies — recently, it’s become clear that vital medical devices like insulin pumps and pacemakers possess the same vulnerabilities as those ill-advised connected tea kettles.
New research makes clear just how vulnerable medical devices really can be. In a recent study, researchers with the security company WhiteScope looked at pacemakers and defibrillators from four different manufacturers, as well as the systems used to monitor and maintain them. And they found 8,000 different vulnerabilities inside the code of the cardiac devices. In case it’s not clear, that is a very big number.
The researchers found all four of the device ecosystems had major problems, including software systems that were not up to date and storage of private patient data that was not encrypted. When the devices were connected to monitoring systems, not one of them required a login name and password or checked to make sure that devices they were connecting to were authentic.
The report notes that pacemaker security faces “some serious challenges.” That might even be a little too polite.
This is particularly concerning in the aftermath of the Wanna Cry ransomware attack, which impacted many hospitals around the globe. That attack included the first known instance of ransomware directly affecting a medical device, in this case, hospital equipment made by Bayer.
The impact of hacked personal medical devices, though, could be far graver — endangering patients' lives as well as exposing private medical data. This is something cybersecurity experts have warned about for years. Back in 2013, the hacker Barnaby Jack claimed he could take control of a pacemaker from up to 50 feet away and create a lethal shock using the device. Former Vice President Dick Cheney famously had a doctor remove the wireless capability of his pacemaker to protect it from hackers, even though it meant software updates would require surgery.
But while medical devices are often old and out of date and therefore more vulnerable to attack, so far there have been no known cases of hackers harming patients by exploiting those flaws. But the American Food and Drug Association (FDA) and other agencies are increasingly concerned this might happen in the not-so-distant future. In January, the FDA issued a warning that certain cardiac implants could be hacked and reprogrammed to send out potentially deadly incorrect signals or shocks.
Last year, Johnson & Johnson was forced to tell its customers that its insulin pumps had a security flaw hackers could use to deploy a potentially fatal overdose of insulin.
The more medical devices on the market that communicate wirelessly, the bigger the threat of hacking grows. Yet, it’s clear from reports like WhiteScope’s that for device manufacturers, even basic security like setting up a login and password is not much of a concern.
Another recent study looked at the broader medical device market and found that only 17% of manufacturers had taken any steps to secure gadgets.
Device manufacturers are beginning to pay attention to these things, hiring cybersecurity experts and setting up programs for white hat hackers to report flaws. But when a hack could mean life or death, they can’t fix those systems soon enough.