The U.S. Food and Drug Administration (FDA) recently issued an advisory amid reports of security flaws identified in 465,000 implantable cardiac pacemakers. These devices, which utilize radio frequency (RF) for communications, were recalled for a firmware update that patches the vulnerabilities.
According to the U.S.’ Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the vulnerabilities identified “may allow a nearby attacker to gain unauthorized access to a pacemaker and issue commands, change settings, or otherwise interfere with the intended function of the pacemaker.” The flaws involve compromising or bypassing the pacemaker’s authentication algorithm, unrestricted RF commands that can be issued, and unencrypted patient information transmitted to programmers and home monitoring units. The flaws could change pace settings and deplete the device’s battery, for instance.
Similar incidents are likely to become more common as medical devices become more connected. On September 7, ICS-CERT issued a similar advisory, and this time the vulnerabilities affected a wireless syringe infusion pumps that are used worldwide, especially in acute care settings (i.e., neonatal and pediatric intensive care). When successfully exploited, the flaws can enable “a remote attacker to gain unauthorized access and impact the intended operation of the pump.” The vulnerabilities entail buffer overflows, hardcoded credentials for establishing wireless connections, and improper certificate validation and access control.
Healthcare organizations increasingly rely on online platforms to provide care and perform critical operations. But bad guys are doing the same, exploiting security gaps in these platforms and turning them into cash cows. A recent hacking attempt in Albany, New York further illustrated the risks when the Schuyler County’s 911 emergency system was disrupted. The intrusions reportedly kept trying various passwords until it accessed their system—which resembles brute-force logins and dictionary attacks. If compromised, the network could’ve been the hackers’ doorway to sensitive, mission-critical, and personally identifiable data.
Indeed, keeping intruders at bay has become a significant facet of a healthcare organization’s bottom line. In the first half of 2017, for instance, hacking (and malware attacks) were major causes of externally reported data breaches in the U.S. Non-profit Privacy Rights Clearinghouse has already recorded 195 incidents of data breaches from January to August 2017.
As such, healthcare organizations should proactively integrate multilayered countermeasures against cyberattacks that threaten the privacy and security of the data and medical devices. Organizations also need to proactively gauge their impact, and employ the response and remediation strategies needed for them.
Apart from the firmware update that they released, the pacemaker’s manufacturer is also communicating with the relevant authorities, global regulators and security experts to “strengthen protections against unauthorized access to its devices.” The wireless syringe infusion pump’s manufacturer is doing the same and currently working on rolling out a security update. ICS-CERT recommends monitoring and logging network traffic as well deploying network segmentation and data categorization to mitigate risks.