Pacemakers have been found to contain as many as 8,000 vulnerabilities which not only endanger patient data but also the very lives of patients.
Most pacemakers in use today run outdated software like Windows XP and can be remotely controlled by anyone using custom firmware.
According to White Scope, modern pacemakers suffer from a number of security vulnerabilities which can endanger the lives of patients. The firm examined pacemakers designed and developed by four different manufacturers and observed glaring vulnerabilities which have never been fixed.
Not only do these pacemakers run outdated software like Windows XP, they can also be reprogrammed by anyone without having to fill in login IDs or passwords. At the same time, files on pacemakers' removable media are not encrypted, which makes stealing patient data a minor task for a budding hacker.
Pacemaker firmware is also not cryptographically signed, which makes it easy for anyone using custom firmware to reprogramme pacemakers or remotely control them. At the same time, a number of used pacemakers are not being wiped and researchers noticed that used pacemakers available via eBay auctions still contained patient data.
“These devices are supposed to be controlled, as in they are supposed to be returned to the manufacturer after use by a hospital. In two instances, we were able to confirm that patient data was stored unencrypted on the programmer. In one instance, we discovered actual unencrypted patient data (SSNs, names, phone numbers, medical data…etc.) on a pacemaker programmer. The patient data belonged to a well-known hospital on the east coast and has been reported to the appropriate agency. These types of issues highlight the need for strong device disposal policies from hospitals,” said researchers at White Scope.
The researchers observed that pacemaker manufacturers are often unable to update the firmware as they exchange certain technologies and hardware between themselves and have to conform to existing practices. "Given the similarities between systems, we hope that pacemaker manufacturers work together to share innovative cyber security designs and compete on user experience and health benefits as opposed to competing on cybersecurity,” they said.
Last year, the US Food and Drug Administration issued draft guidance for medical device manufacturers to address cyber security risks. The guidance recommended manufacturers to monitor, identify and address cyber security vulnerabilities in medical devices and understand the importance of information sharing via participation in an Information Sharing Analysis Organization (ISAO).
“The draft guidance will build on the FDA’s existing efforts to safeguard patients from cyber threats by recommending medical device manufacturers continue to monitor and address cyber security issues while their product is on the market,” said Suzanne Schwartz, associate director of the FDA’s Centre for Devices and Radiological Health.
Despite FDA warnings, a number of medical devices fell victim to dreaded WannaCry ransomware attacks. Almost all affected devices were Windows-based and weren't patched for years, thus rendering patient data vulnerable to hackers.
Craig Young, a security researcher at Tripwire, believes that it is difficult to patch security vulnerabilities in medical devices. This is either because considerable time is taken to build and test new firmware updates or because of memory, storage, and processing constraints. At the same time, many medical devices are based on outdated operating systems which are no longer supported and are hence highly vulnerable to potential cyber-attacks.