What’s the Best Way to Handle Medical Device Security Concerns?

http://www.govinfosecurity.com/interviews/whats-best-way-to-handle-medical-device-security-concerns-i-3313

We need to work on protocol how to properly reveal security vulnerabilities on medical devices to keep patients safe.

2 Comments

  1. Tomi Engdahl says:

    Hacking risk leads to recall of 500,000 pacemakers due to patient death fears
    https://www.theguardian.com/technology/2017/aug/31/hacking-risk-recall-pacemakers-patient-death-fears-fda-firmware-update

    FDA overseeing crucial firmware update in US to patch security holes and prevent hijacking of pacemakers implanted in half a million people

    Almost half a million pacemakers have been recalled by the US Food and Drug Administration (FDA) due to fears that their lax cybersecurity could be hacked to run the batteries down or even alter the patient’s heartbeat.

    The recall won’t see the pacemakers removed, which would be an invasive and dangerous medical procedure for the 465,000 people who have them implanted: instead, the manufacturer has issued a firmware update which will be applied by medical staff to patch the security holes.

    Six types of pacemaker, all made by healthtech firm Abbott and sold under the St Jude Medical brand, are affected by the recall. They are all radio-controlled implantable cardiac pacemakers, typically fitted to patients with slow or irregular heartbeats, as well as those recovering from heart failure.

    There have been no reports of unauthorised access to any patient’s implanted device, according to Abbot. The FDA says that the vulnerability allows an unauthorised user to access a device using commercially available equipment and reprogram it. The hackers could then deliberately run the battery flat, or conduct “administration of inappropriate pacing”. Both could, in the worst case, result in the death of an affected patient.

    The US Department of Homeland Security said that “it is recommended that healthcare providers discuss this update with their patients and carefully consider the potential risk of a cybersecurity attack along with the risk of performing a firmware update”.

    Reply
  2. Tomi Engdahl says:

    Cyber-flaw affects 745,000 pacemakers
    http://www.bbc.com/news/amp/technology-41099867

    A total of 745,000 pacemakers have been confirmed as having cyber-security issues that could let them be hacked.

    The Food and Drug Administration revealed that 465,000 pacemakers in the US were affected, in an advisory note about a fix to the problem.

    The pacemaker’s manufacturer, Abbott, told the BBC there were a further 280,000 devices elsewhere.

    The flaws could theoretically be used to cause the devices to pace too quickly or run down their batteries.

    However, Abbott said it was not aware of any cases of this happening, adding that it would require a “highly complex set of circumstances”.

    The Department of Homeland Security has said that an attacker would need “high skill” to exploit the vulnerabilities.

    Pacemakers manufactured after 28 August will come with the new firmware pre-installed.

    “As with any firmware update, there is a very low risk of an update malfunction,” the FDA said.

    The regulator noted a very small number of St Jude devices had lost all functionality after a firmware update in the past.

    Abbott said some patients might opt to continue with the old firmware as a consequence.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*