Medical Device Manufacturers And Security

by

Not working out too well. 750,000 Medtronic defibrillators vulnerable to hacking. These are IMPLANTED medical devices. Subject to hacking.

As many as 750,000 heart devices made by Medtronic PLC contain a serious cybersecurity vulnerability that could let an attacker with sophisticated insider knowledge harm a patient by altering programming on an implanted defibrillator, company and federal officials said Thursday.

The the company says the risk is low, but not zero.

Dr. Robert Kowal, chief medical officer for Medtronic’s cardiac rhythm and heart failure products, said in an interview that a hacker would have to be within 20 feet or so of the patient, would need detailed knowledge of the device’s inner workings, and have possession of specialized technology to pull off the hack.

That 20 ft would be subject to the antenna used, “detailed knowledge” is probably available, since the “security researchers” were able to hack into it, and I’m willing to bet that you can buy the “specialized technology” at either Hak5, Element13, or on eBay.

This is not a new issue for the medical device field. Having WiFi support for a device without ironclad authentication for changes seems insane to me. I wouldn’t code an inventory system that way, why are they building a medical device like that?

An update since I first started this post… Medtronic cardiac implants can be hacked, FDA issues alert.

A decade or more ago, adding wireless capability to huge amount of medical equipment looked like an easy win for convenience.

Unfortunately, security was low on the priority list and based on too many assumptions about likelihood and motive. We now see regular medical device security alerts, including one affecting Medtronic’s pacemakers last August.

A decade or more ago companies should have been aware of the existence of hackers.

As I said in regards to the latest ransomware attack, and someone calling it a “wake-up call,” if you are not awake to the problems of security, you are either in a coma, or you’re a corporate executive.