Pacemakers and other medical equipment vulnerable to hacking

And while cyber security companies are continually updating and improving software and security systems in order to identify and ward off attacks by hackers bent on disrupting systems, medical devices, particularly the technology we put into our bodies, such as pacemakers and insulin pumps, are also vulnerable to hacking.

A new study recently published by the security firm WhiteScope makes it very clear just how vulnerable these embedded devices we use to save our lives really are to cyber attacks. Interestingly, the research comes just a short time after the U.S. Food and Drug Administration (FDA) admitted that some pacemakers and other cardiac devices are vulnerable to hacking, according to Engadget.

From the implantable device (pacemaker), data flows to the physician’s office, or in the case of an implanted defibrillator, the data can go from the operating room to the physician programmer and on to the patient support network. But all aspects of the system are vulnerable.

WhiteScope

What the study found
Whitescope’s research looked into pacemakers and defibrillators from four different manufacturers, as well as the systems used to monitor and maintain them. They found over 8,000 “bugs,” or vulnerabilities in codes that hackers can exploit. All four manufacturers’ devices had major problems, including software systems that weren’t up to date and storage of private patient information that was not encrypted.

Much more troubling – When the devices were connected to a monitoring system, no Login name or password was required and there was no way to authenticate if the monitoring system they were connecting their device to was authentic. Having no encryption of data means patient data such as name, address, social security number, physician’s name and medical and drug information is available to the hacker.

Vulnerability of medically implanted devices
While there have been no known incidents of hackers purposely harming patients, Gizmodo points out it is only a matter of time, especially after the recent Wanna Cry ransomware attack, which impacted many hospitals around the globe. As a matter of fact, medical facilities in the U.S. were attacked, too, although the numbers remain unclear.

This image shows two different kinds of devices used for the remote monitoring of pacemaker patients. The one on the left, the gray device, is the more advanced device that actually communicates with the pacemaker through the peripherial that is placed over the pacemaker in the patient’s chest. The device on the right is an older version of remote monitoring device. It requires the use of a telephone handset.

Richardelainechambers

However, Forbes is reporting that medical devices in two U.S. hospitals were infected. It appears that a few of Bayer Company’s radiological medical devices used for monitoring what’s known in the industry as a “power injector,” which helps deliver a “contrast agent” to a patient were infected. Contrast agents are chemicals that improve the quality of magnetic resonance imaging (MRI) scans.

A Bayer spokesperson confirmed that two reports from customers in the U.S. had been received but did not supply any further details on the locations. “Operations at both sites were restored within 24 hours,” the spokesperson added. “If a hospital’s network is compromised, this may affect Bayer’s Windows-based devices connected to that network.”

Ransomware: how hackers take your data hostage

Simon MALFATTO, Iris de VERICOURT, Jonathan JACOBSEN, AFP

And last fall, Johnson & Johnson had to tell customers their insulin pumps had a flaw that would allow a hacker to change the flow of insulin, potentially giving the customer a fatal dose of insulin.

Another recent study looked at the overall security of all medical devices and found that only 17 percent of manufacturers had taken any measures to secure the devices against hacking. The study found that “testing for security vulnerabilities rarely occurs. More than half of HDOs do not test medical devices (45 percent) or are unsure if testing occurs (8 percent),”