The US Food and Drug Administration (FDA) has recalled an estimated 465,000 implantable cardioverter defibrillators (ICD) – a small device used to help treat irregular heartbeats – for firmware updates.
In a safety communication issued April 17, 2018, it says the devices, designed and operate by St Jude Medical, are vulnerable to cybersecurity attacks and at risk of sudden battery loss.
The potential susceptibility of St Jude medical ICD’s and its Merlin@home monitoring device to a cyber-attack was first raised by health sector security analysis Medsec, this was followed by a challenge from St Jude Medical, which was acquired by Abbott in 2017. The vulnerabilities identified by Medsec were confirmed, however, by cyber security consultants Bishop Fox.
Carl Livitt of Bishop Fox told Computer Business Review: “Authentication backdoors are not good, especially in implantable cardiac devices that can be misused to kill people.”
Merlin@Home is a small transmitter that people with implanted cardiac devices can plug in at home. It is designed to allow “remote care management of patients with implanted cardiac devices through scheduled transmissions and daily alert monitoring.”
In their 2016 report Bishop Fox found that the “underlying channel (‘’protocol’’) over which the Merlin@home, programmer, and cardiac devices communicate is fundamentally flawed in both its design and implementation, making it possible to repurpose Merlin@home devices to emulate a programmer and issue, for example, shocks to patients.’’
Authentification Backdoors to your Heart? “Not Good”
Derek Weeks VP of DevSecOps company Sonatype emphasised to Computer Business Review that such products had to be “secure by design”, blaming open source vulnerabilities and highlighting the risk not just to patient health but the privacy of patient records. Unpatched medical devices like these could also be GDPR noncompliant, he noted.
Lamar Bailey, director of security R&D at Tripwire, said in an emailed statement: “Medical device security is an ongoing problem. It is not uncommon to have multiple versions of the same device at different firmware revisions. Many new models of medical equipment have built-in functionality so that they can be monitored remotely and this has opened up the devices to remote attacks.”
He added: “It is imperative that equipment manufactures keep up with security issues and trends and then feed to their customers in the form of updates and information on why it is important to update. The medical device community needs to take everything the IT community has learned over the years and institute the best practices for updating devices. Security in healthcare is more than HIPPA.”
Carl Livitt of Bishop Fox added to Computer Business Review: “Most of the vulnerabilities could be remediated by requiring a very close proximity ‘wake-up’ command to be issued to an implanted device prior to enabling long-range communications.’ This would require the physician to be in physical contact with the patient.”
The warning comes after The Department of Health last week agreed a deal with Microsoft to roll Windows 10 out across the NHS in a bid to bolster hospitals’ cybersecurity defences. Westminster’s Public Accounts Committee meanwhile has set a June deadline for update on costed plans for vital security investment across the NHS, which must include “prioritising and costing actions, setting a clear timetable, and ensuring national and local roles, responsibilities and oversight arrangements are clear.”
In released statement Abbott commented that “Technology and its security are always evolving, and this firmware upgrade is part of our commitment to ensuring our products include the latest advancements and protections for patients,” said Robert Ford, executive vice president, Medical Devices at Abbott. The cybersecurity update provides an additional layer of security against unauthorized access to these devices, to prevent anyone other than a person’s physician from changing device settings.’’