Vulnerabilities of pacemakers revealed in new study

A new study has revealed just how vulnerable pacemakers are to getting hacked.

Security researcher White Scope conducted an independent study of home monitoring devices, cardiac implants and physician programmers. The devices they analysed come from four major medical device manufacturers and share similar architecture.

White Scope discovered over 8,000 vulnerabilities in the devices from the four different manufacturers. In the report White Scope states this highlights “an industry wide issue associated with software security updates”

Other vulnerabilities show that pacemakers from the same manufacturer can be reprogrammed; pacemaker programmers do not require physicians to authenticate the programme and all pacemakers systems have unencrypted filesystems on removable media, making analysis fairly easy.

More so the availability of pacemaker devices from auction websites is alarming. The researchers showed that pacemakers from all four manufactures were available on auction websites such as eBay, costing anywhere from $200-$3000.

The researchers could gather complete patient data from pacemaker systems, showing just how easily incidents of cybercrime and ransomware can occur.

White Scope researcher Billy Rios said: “Obviously, compromise of a pacemaker programmer is a serious matter. The by-design capabilities of pacemaker programmers is significant and compromise of a pacemaker programmer would result in situations where alteration of therapy is possible”.

A study conducted by the IT security research organisation, Ponemon Institute, recently showed that only 17% of medical device makers and 15% of healthcare delivery organisations (HDOs) are taking steps to prevent attacks on medical devices.

The study surveyed approximately 550 individuals from manufacturers and HDOs, whose roles involve the security of medical devices, including implantable devices, radiation equipment, diagnostic and monitoring equipment, robots, as well as networking equipment designed specifically for medical devices and mobile medical apps.

Dr. Larry Ponemon, chairman and founder of the Ponemon Institute said: “The security of medical devices is truly a life or death issue for both device manufacturers and healthcare delivery organisations. According to the findings of the research, attacks on devices are likely and can put patients at risk. Consequently, it is urgent that the medical device industry makes the security of its devices a high priority."