FDA, Homeland Security Issue First Ever Recall, Warnings About Flimsy Pacemaker Security
from the your-heart-attack-has-an-IP-address dept
We've well established that the internet of things (IOT) market is a large, stinky dumpster fire when it comes to privacy and security. But the same problems that plague your easily hacked thermostat or e-mail password leaking refrigerator take on a decidedly darker tone when we're talking about your health. The health industry's outdated IT systems are a major reason for a startling rise in ransomware attacks at many hospitals, but this same level of security and privacy apathy also extends to medical and surgical equipment -- and integral medical implants like pacemakers.
After a decade of warnings about dubious pacemaker security, researchers at Medsec earlier this year discovered that a line of pacemakers manufactured by St. Jude Medical were vulnerable to attacks that could kill the owner. The researchers claimed that St. Jude had a history of doing the bare minimum to secure their products, and did little to nothing in response to previous warnings about device security. St. Jude Medical's first response was an outright denial, followed by a lawsuit against MedSec for "trying to frighten patients and caregivers."
Ultimately, the FDA was forced to issue its first ever warning about the security of a pacemaker earlier this year, though the agency somewhat downplayed the potentially fatal ramifications:
"The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient's physician, to remotely access a patient's RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks."
Inappropriate, indeed. St. Jude Medical has since been acquired by Abbott Laboratories, and back in April the FDA sent a warning to Abbott that it needed to design a comprehensive plan to fix the flaw (first revealed in August of last year) within fifteen days. That was followed up with a formal, voluntary recall notice issued by the FDA regarding the impacted pacemaker, believed to be the first such warning of its kind. In its warning, the FDA urged the estimated 400,000 owners of this pacemaker model to schedule a physician appointment for a firmware update, lest they find themselves quite literally hacked.
The FDA's alert was also joined by a warning by the Department of Homeland Security outlining the problem as such:
"The pacemaker’s authentication algorithm, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications....The pacemakers do not restrict or limit the number of correctly formatted “RF wake-up” commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life."
Comforting. Many security experts have been quick to point out that this may be the turning point at which companies finally begin taking these sorts of problems more seriously. But the lengths it took to bring us to this point are downright comical, involving MedSec going so far as to at one point short St. Jude stock to bring necessary attention to the problem. Hopefully, the entire saga is a shot over the bow that other security-apathetic medical impact manufacturers will wisely heed.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybersecurity, dhs, fda, pacemakers, security
Companies: st. jude medical
Reader Comments
The First Word
“21st Century Diseases
Algorithymia: improper beating of the heart, whether irregular, too fast, or too slow, due to hacking of a pacemakerSubscribe: RSS
View by: Time | Thread
Flaws
I am curious whether the process for updating the firmware to a non-vulnerable version is itself vulnerable to any dangerous flaws, such as loading it with unauthorized firmware.
I doubt such a law could go through, but it could be entertaining to see the results of a law that disallows disclaiming liability for known faults that lead to death. That would effectively allow the estate to pursue legal action against vendors who sell devices with known security defects. I assume no such law exists now, because if it did, the vendor would have rushed to fix this when the flaws were first announced, independent of any prompting by the FDA.
[ link to this | view in chronology ]
Re: Flaws
This of course had nothing to do with another company shorting their stock & pointing out they were hackable. They kept saying it was impossible as they tried to ignore the data.
The notices suggest that when you get your firmware updated, perhaps some people should be in the hostpial ready to have outside pacing if the firmware bricks it.
They are much safer now, the new password is 12345 replacing 123 and making it much harder to hack them.
[ link to this | view in chronology ]
Re: Flaws
Good job America has the FDA then.
The Baxter Colleague infusion pump was notorious for technical problems and AFAIK was implicated in a number of adverse incidents. Despite this, Baxter failed to make sufficient headway in resolving the problems, and in the end the FDA ordered that all such devices in the USA be recalled and destroyed.
[ link to this | view in chronology ]
Patents and Monopolies
We need to separate research from manufacturing somehow.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
21st Century Diseases
[ link to this | view in chronology ]
Culture change required
I'm a hardware guy, and while I've not worked for St. Jude personally I've know many who worked there, at Medtronic, etc. In fact, the guy across the aisle is a veteran of those companies.
The problem at places like Medtronic is more cultural than anything. Medtronic is referred to internally as "The Country Club" for good reason: it's a relatively slow moving tech company dominated by doctors and bureaucratic management. Now in general, that's a good thing since your average techie is a little too willing to cut corners on verification than I'd like in a medical device, but it does lead to technological blind spots like in this case.
Trying to get a doctor interested in something that's this esoteric and out of their sphere of knowledge as just about impossible. Doctors tend to be pretty dictatorial and when they don't understand something like a tech issue, they just tend to ignore it as you can see from all the lax to non-existent security in just about all medical devices. In fact, one of the biggest complaints I've heard from the guys who worked in biomed companies is that it's just about impossible for techies to get any input into serious decision or product specification. It makes it rather frustrating for techies in biomed companies who recognize real issues and yet get completely ignored and shut down. The fact biomed pays more poorly, equips its engineers with poor tools, and generally gives them little input into how things could be done isn't a package that leads to excellence in the engineering staff overall. Although I know some very good engineers who work in biomed, they aren't there for the pay or working conditions.
Most of these medical companies need to find a better way to balance the inputs of doctors and engineers. Right now there's really no balance inside the companies.
[ link to this | view in chronology ]
Re: Culture change required
[ link to this | view in chronology ]