A recent report from security firm WhiteScope describes more than 8600 flaws in US pacemaker systems and the third-party libraries that power various components of the devices.
The broad list of flaws includes a lack of encryption and authentication, simple bugs in the code and poor design that can put patient lives at risk. These vulnerabilities were associated with outdated libraries used in pacemaker programmer software.
WhiteScope analysed seven different pacemaker programmers from four different manufacturers, with a focus on programmers that rely on modern radio frequency. The programmers are used to monitor the function of implantable devices and set therapy parameters.
Most of these systems run on a similar architecture, including an implanted medical device, a home monitoring system, a pacemaker programmer and cloud-based infrastructure that relayed data to a physician.
One manufacturer alone had 3715 flaws and another had 2354. In one instance, the researchers found the models didn’t require physicians to authenticate a programmer, and the programmers didn’t authenticate implantable pacemakers – which means anyone who can get within range of the device can alter the implanted device’s settings.
“Any pacemaker programmer can reprogram any pacemaker from the same manufacturer,” the researchers said in a statement.
Further, these systems stored the unencrypted file data on removable media, which means anyone can pick up a device and figure out how to hack it. The design flaw highlights the need for a complete overhaul of the basic design that manufacturers need to address.
In another instance, actual unencrypted data that included Social Security numbers, names, medical data and other patient data of a “well-known hospital on the east coast” was left exposed on a pacemaker programmer. The researchers contacted the “appropriate agency” with their findings.
“As seen in other medical device verticals keeping devices fully patched and updated continues to be a challenge. Despite efforts by the FDA to streamline routine cybersecurity updates, all programmers we examined had outdated software with known vulnerabilities,” the researchers said.
“The pacemaker ecosystem has some serious challenges when it comes to keeping systems up-to-date. No one vendor really stood out as having a better/worse update story when compared to competitors.”