At the heart of pacemaker hacking problems: Lack of coordination
More than 465,000 people in the United States have begun to receive recall notices for their implanted pacemakers, thanks to potentially fatal device security vulnerabilities, the Food and Drug Administration announced August 29. And the threat of hackers manipulating, altering, or shutting down implanted medical devices is forcing the stakeholders to consider better ways to communicate and coordinate.
Six pacemaker models from Abbott are listed in the recall, including Accent, Anthem, Accent MRI, Accent ST, Assurity, and Allure. Abbott acquired St. Jude’s Medical, which previously manufactured the pacemakers, earlier this year.
The devices might have been recalled sooner, had the disclosure of the vulnerabilities been coordinated with St. Jude Medical. Investment firm Muddy Waters Capital and cybersecurity company MedSec Holdings caused “a big blowup” when it skipped the standard procedure of first notifying the company this summer, Jessica Wilkerson, staff member on the House Committee on Energy and Commerce, said at the hacker conference B-Sides Las Vegas at the end of July.
Instead, they publicly disclosed the vulnerabilities via a report last August, explaining the investment firm’s short position on St. Jude Medical.
They “didn’t give the company any warning,” she says. The zero-day disclosure and short-selling led to a lawsuit by St. Jude Medical, prior to its acquisition by Abbott.
“We, as the committee, are not huge fans of that,” Wilkerson says, referring to the zero-day disclosure. “There are serious patient safety concerns.”
READ MORE ON CONNECTED MEDICAL DEVICES
Yes, your life-saving medical devices can be hacked
Critical systems at heart of WannaCry’s impact
Time for a Department of the Internet of Things?
The long reach of Mirai, the Internet of Things botnet
Hackers call for federal funding, regulation of software security
Living on the edge of heartbreak: Researcher hacks her own pacemaker
Abbott says it’s actively working to update the pacemakers.
“These are part of planned updates we mentioned back in January, and further strengthen the security and device management tools for our connected cardiac rhythm management (CRM) devices,” Abbott representative Candace Steele Flippin said in an emailed statement to The Parallax.
“There have been no reports of unauthorized access to any patient’s implanted device, and according to an advisory issued by the U.S. Department of Homeland Security, compromising the security of these devices would require a highly complex set of circumstances,” the company added in a separate statement.
“The stakes are high here.”—Dr. Suzanne Schwartz, associate director, science and strategic partnerships, FDA
While medical and cybersecurity experts acknowledge that hacks of the devices, which would require extremely close proximity, are not likely, the risk underscores the need for security researchers and doctors to work better with the FDA and manufacturers to ensure patient safety.
Security researchers worry about a lack of transparency regarding the software running on implanted medical devices. They also are concerned about how their investigations might conflict with strict U.S. hacking laws. Doctors, meanwhile, worry about protecting their patients, device manufacturers worry about how potential hacking-oriented headlines could affect their business, and the FDA worries about how to keep patients safe while working productively with security researchers and manufacturers.
Since 2009, doctors and medical technicians have been maintaining and updating pacemaker software via Wi-Fi connections. Insulin pumps, glucose monitors, and infusion pumps have since joined the Internet of Things club. And despite an increasing awareness of IoT hacking vulnerabilities, Grand View Research expects investments in medical IoT to skyrocket from $58.9 billion globally in 2014 to $410 billion by 2022.
Pacemaker manufacturers Abbott, Medtronic, Boston Scientific, and their trade association, AdvaMed, declined to comment for this story. In a white paper outlining its cybersecurity principles, however, AdvaMed addresses ways manufacturers can work to secure devices as they are designing and developing them; creating consensus standards involving patients, doctors, and technicians; sharing information; and coordinating with other stakeholders on disclosures of vulnerabilities.
The way in which Muddy Waters and MedSec revealed the pacemakers’ vulnerabilities delayed their recall, says Dr. Suzanne Schwartz, associate director for science and strategic partnerships at the FDA.
“Coordinated assessments, which we would hope would otherwise go very, very smoothly, couldn’t take place,” she says. “They unraveled because of the litigation, and that adds time to get to ground truth, in regards to the existence of the vulnerabilities and mitigate their impact.”
Schwartz says she doesn’t believe that the zero-day disclosure, Muddy Waters’ short-selling, nor the subsequent lawsuits impacted trust among the general public in pacemakers. But she doesn’t want to see that kind of behavior become a trend, and she says the FDA is working with security researchers and medical-device manufacturers to address the barriers between them.
“Only a handful of medical-device manufacturers have been open about their disclosure policies. We want more than 10. That’s a goal for this coming year,” she says. “The stakes are high here.”
At the heart of the challenge is doing what’s best for the patient, says Dr. Christian Dameff, a cybersecurity researcher and an emergency room physician for the University of California at San Diego School of Medicine. He says that while the public needs to hear about inherent and apparent risks in connected medical devices, he worries that fears of hacking could lead people to abandon live-saving technology.
“If the end result of this was for patients to decline having life-saving devices, that would be a terrible outcome. But every time this happens, you’re chipping away at that important bond between the health care system and the patient.”—Dr. Nick van Terheyden, chief medical officer, NTT Data
“Every three to four years, we see nasty vulnerabilities get dropped on these devices,” he says. “The risks to hacking pacemakers are overblown. The risks of people not using pacemakers are high.”
Dr. Nick van Terheyden, the chief medical officer of NTT Data, estimates that the Abbott pacemaker recall will cost health care providers and patients millions of dollars—more than $100, on average, per patient. It’s also taking a toll on patient trust.
The vulnerability disclosures and subsequent recall “damages the overall trust in the system and the devices,” he says. “If the end result of this was for patients to decline having life-saving devices, that would be a terrible outcome. But every time this happens, you’re chipping away at that important bond between the health care system and the patient.”
Chances are that it happens again soon. In a study published in May, security researchers Billy Rios and Jonathan Butts revealed that they’d found more than 8,000 known security vulnerabilities in four different pacemaker programmer systems from four different manufacturers. These programmer systems are used to alter the behavior of the pacemaker.
“In two instances, we were able to confirm that patient data was stored unencrypted on the programmer,” the report says.
Arguably worst of all, Dameff says, is that there’s no reliable information available as to whether patient pacemakers have actually been hacked while in use. That’s because the manufacturer-supplied devices that log pacemaker behavior lack the ability to determine whether they’ve been hacked, he says.
“We don’t have good data capture techniques to know when these devices have been compromised,” Dameff says. “I won’t know that anytime soon, and the device manufacturer won’t know that anytime soon.”