The U.S. Department of Homeland Security last week warned that numerous medical devices made by Medtronic are vulnerable to cyber attack. The vulnerabilities affect 17 of the company’s implantable cardiac device models and the external equipment used to communicate with them.
A Medtronic spokesperson told IEEE Spectrum that the company voluntarily disclosed the vulnerabilities to the Department of Homeland Security (DHS), and that “no cyberattack, privacy breach, or patient harm has been observed or associated with these issues.”
At risk are certain models of heart-regulating devices: implantable cardiac resynchronization therapy/defibrillators (CRT-Ds) and implantable cardioverter defibrillators (ICDs). CRT-Ds send electrical impulses to the lower chambers of the heart to help them beat together in a more synchronized pattern. ICDs deliver electrical impulses to correct fast heart rhythms. External computers program the devices and retrieve information.
Such devices emit radio frequency signals that can be detected up to several meters from the body. A malicious individual nearby could conceivably hack into the signal to jam it, alter it, or snoop on it, according to the Feds’ warning.
Signals that are unencrypted, as was the case with Medtronic’s devices, make intentional interception easy, says Shreyas Sen, an electrical and computer engineer at Purdue University. “It would be like sitting in a room listening to someone speaking in plain language,” he says.
For more than a decade researchers have repeatedly warned that medical devices could be turned into murder weapons. Scientists have demonstrated in written reports and live, at conferences, how to hack into an insulin pump, or a pacemaker, or even an entire hospital network.
Medtronic is one of several companies over the last few years to publicly disclose weaknesses in the cybersecurity of its medical devices. Smiths Medical in 2017 disclosed, through DHS, that its wireless drug pump, typically used in hospitals, could be hacked remotely. The U.S. Food and Drug Administration (FDA) the same year notified the public of vulnerabilities in St. Jude Medical’s implantable cardiac devices, including pacemakers, defibrillators and resynchronization devices. An attacker could crash a breathing therapy machine made by BMC Medical and 3B Medical, DHS warned in 2017.
DHS’s Cybersecurity and Infrastructure Security Agency (CISA) started tracking medical device vulnerabilities in 2013. The agency issued only seven advisories over the first five years, a CISA spokesperson told IEEE Spectrum. That number jumped to 16 in fiscal year 2017 and nearly twice that many—29—in fiscal 2018, the spokesperson said. The U.S. Federal Drug Administration and DHS in October announced a framework to coordinate their response to medical device cybersecurity threats.
No known attack on a life-supporting medical device has actually occurred, makers of such machines often point out. And encrypting the signals on these devices should provide reasonable protection. But Sen, at Purdue, says encryption isn’t enough. “The physical signals are available, and we are not good with using passwords,” he says.
To thwart would-be attackers, Sen and his colleagues have designed a countermeasure: a device worn around the wrist that uses a particular low-frequency range to confine within the human body all of the communication signals coming from a medical device.
The signals create what’s known as an electro-quasistatic field using the body’s conductive properties. Signals from a pacemaker can travel from head to toe, but they won’t leave the skin. “Unless someone is physically touching you, they don’t get the signals,” Sen says.
Sen and his colleagues call it electro-quasistatic human body communication, and described it earlier this month in the journal Scientific Reports. In the study, Sen’s prototype successfully confined to the body signals from a wearable device. The researchers have not yet tested their prototype on people with an implanted medical device.
Bonus: signals in the electro-quasistatic range use a fraction of the energy of traditional Bluetooth communication.
Medtronic, for its part, is developing a series of software updates to better secure the wireless communication affected by the issues described in the advisory, according to a Medtronic spokesperson. The first update is scheduled for later in 2019, subject to regulatory approvals. Medtronic and the FDA recommend that patients and physicians continue to use the devices.