Cybersecurity experts continue to develop and improve software and security systems in order to identify and fight off cyberattacks from hackers who exploit system vulnerabilities. Unfortunately, the same could not be said for manufacturers of life-saving devices.
A new study just revealed that not only are pacemakers vulnerable to getting hacked, it also contains more than 8,000 bugs in the code of devices of four different manufacturers.
Pacemaker Bugs
White Scope conducted an independent study of home monitoring devices, cardiac implants, and physician programmers from four major medical device vendors who employ similar architectures in their products. From their testing, White Scope reveals that the products manufactured by all the selected vendors contained security risks from system-to-system communications and underlying protocols.
The vulnerabilities of the devices are seriously alarming because important data were not encrypted both in the device and while being transferred to monitoring systems. What is even more alarming is that there was also no way of knowing whether the system a device is connecting to is authentic, which means that any pacemaker programmer can reprogram a device without the need to validate the new program's legitimacy.
To prove just how bad the lack of encryption and updates are, the researchers revealed that they were able to pull up complete patient data including the patient's name, contact details, and medical records, among others, from the system. The patient data came from a recognized east coast hospital and the researchers already reported the incident to the appropriate authorities.
"Obviously, compromise of a pacemaker programmer is a serious matter. The by-design capabilities of pacemaker programmers is significant and compromise of a pacemaker programmer would result in situations where alteration of therapy is possible," White Scope researcher Billy Rios said.
The recorded 8,000 vulnerabilities in the devices are, of course, collective and much of it come from third-party components.
Take a look at White Scope's data below.
Other Medical Devices Also Weak
Another independent study [PDF] conducted by Ponemon Institue LLC showed just how unprepared manufacturers are for cyber attacks.
In the study appropriately titled "Medical Device Security: An Industry Under Attack and Unprepared to Defend," the institute reveals that only 17 percent of medical device manufacturers have made significant moves to update and protect their device systems. The problem is that manufacturers need to raise budget in order to focus on security but it may not happen soon enough.
Manufacturers were given a list of reasons that could influence the company to prioritize system security and they were each allowed two choices.
Answers reveal that 61 percent said it would take a serious hacking incident before increasing the budget, while 40 percent said it will happen if new regulations are passed.
Considering that many families rely on their devices to keep their loved ones alive, let's hope the second choice happens first.