HOW SECURITY FLAWS ACROSS MEDICAL IMPLANTABLE DEVICES LIKE PACEMAKERS AND DEFIBRILLATORS ARE EMERGING AS THE BIGGEST HEALTHCARE THREAT
Over the past 12 months, security vulnerabilities in implantable medical devices have attracted considerable attention due to the potential threat to patient safety. Last year, MedSec conducted an analysis of pacemaker systems which revealed security vulnerabilities in the Merlin@home transmitter and the associated implantable cardiac devices manufactured by St. Jude Medical. Those vulnerabilities could potentially be exploited to cause device batteries to drain prematurely and the devices to malfunction
Vectramind Mobile Healthcare Solutions |
Johnson & Johnson warned customers about a security bug in one of its insulin pumps last fall. while St. Jude has spent months dealing with the fallout of vulnerabilities in some of the company’s defibrillators, pacemakers, and other medical electronics. However it seems medical device companies are yet to take this threat in a big way.Experts warn they haven’t and security breach across medical devices are the new threat which is yet to be taken seriously by medical devices and healthcare organizations
A recent study of the pacemaker ecosystem has uncovered a plethora of security flaws in devices made by other major manufacturers. Those flaws could potentially be exploited to gain access to sensitive data and cause devices to malfunction.
Billy Rios and Jonathan Butts, PhD of security research firm WhiteScope has recently published a white paper detailing the findings of the study.
The pair conducted an analysis of seven cardiac devices from four major device manufacturers.The researchers evaluated home monitoring devices, implantable cardiac devices and physician programmers, with most effort concentrated on four programmers with RF capabilities.
All of the devices under study were obtained from auction sites such as eBay, even though the devices are supposed to be controlled and returned to the manufacturer or hospital when no longer required. The report explained that all of the manufacturers under test had home monitoring equipment listed for sale on public auction sites.
The researchers found security flaws existed on all pacemaker systems under study.
The filesystems used by the pacemaker systems were unencrypted, with data stored on removable media. Some of the devices stored highly sensitive data such as medical histories and Social Security numbers, yet the data were not encrypted to prevent unauthorized access.
The pacemaker systems allowed physicians to reprogram the devices without authentication and pacemaker programmers did not authenticate with pacemaker devices. The researchers explained that any pacemaker programmer could be used to reprogram any pacemaker from the same manufacturer.
The software used by the pacemaker systems was discovered to contain more than 8,000 known vulnerabilities in third-party libraries across all the devices.
One vendor had 3,715 vulnerabilities in its third-party libraries. According to the research data it was clear there was “an industry wide issue associated with software security updates.”
The study also revealed firmware used by the devices was not cryptographically signed, therefore it would be possible to replace firmware with a custom firmware.
Medical devices with these features—like wireless connectivity, remote monitoring, and near-field communication tech—allow health professionals to adjust and fine tune implanted devices without invasive procedures. However the flip side is that those conveniences also create potential points of exposure. And the proprietary code on these devices means it takes painstakingly reverse-engineering the softwares for implantable cardiac defibrillators for anyone outside a manufacturer to even assess the security of a device, much less discover flaws.
According to a recent research by IOT security firm Zingbox,US hospitals currently average 10 to 15 connected devices per bed. More than 36,000 healthcare-related devices in the US alone are easily discoverable on Shodan,which is a search engine for connected devices, according to a recent Trend Micro survey. Not all are necessarily vulnerable to attack, but since they are publicly exposed attackers are more likely to target them.
According to a recent research by IOT security firm Zingbox,US hospitals currently average 10 to 15 connected devices per bed. More than 36,000 healthcare-related devices in the US alone are easily discoverable on Shodan,which is a search engine for connected devices, according to a recent Trend Micro survey. Not all are necessarily vulnerable to attack, but since they are publicly exposed attackers are more likely to target them.
No comments:
Post a Comment