A US government probe into claims that certain
heart implants are vulnerable to hacking attacks, has resulted in emergency
security patches being issued for devices that cardiac patients have in their
homes.
The medical devices under the microscope come from
St Jude Medical, recently acquired by Abbott Laboratories, who were informed by
researchers last year that their devices could be forced to malfunction by
administering a mild electric shock, pacing at a potentially dangerous rate, or
tricked into suffering a high-risk battery drain.
Controversially, research company MedSec Holdings
and hedge fund Muddy Waters reportedly profited by short selling stock in St Jude
Medical, before telling the manufacturer about the serious
vulnerabilities.
The St Jude Medical Merlin@home Transmitter
connects the tiny computer inside a patient’s implanted cardiac pacemaker to a
doctor’s surgery or clinic, using a telephone line, internet connection or 3G
cellular network to communicate critical information about a patient’s heart
activity.
The good news for patients is that they don’t have
to make as many trips to the clinic, and don’t have to see their doctor in
person so often. Remote monitoring allows a doctor to both monitor how a heart
is behaving, and see if the implanted device is behaving unusually.
From this point of view, the technological advance
can be seen as a good thing. But there is a genuine concern – as we have described before
– that the rush to embrace technology to improve and save patients’ lives could
introduce high-tech risks.
Perhaps most memorably, security researcher Barnaby
Jack demonstrated in 2012 how he reverse-engineered a device to deliver a
deadly 830 volt shock to a pacemaker from a distance of 30 feet, and discovered
a method to scan insulin pumps wirelessly and configure them to deliver more or less
insulin than patients required, sending patients into a
hypoglycaemic shock.
In a press release announcing
its security updates, St Jude Medical emphasised that it was “not aware of any
cyber security incidents related to a St Jude Medical device.”
“We’ve partnered with agencies such as the U.S.
Food and Drug Administration (FDA) and the U.S. Department of Homeland Security
Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) unit and
are continuously reassessing and updating our devices and systems, as
appropriate,” said Phil Ebeling, vice president and chief technology officer at
St. Jude Medical.
Carson Block, CEO of Muddy Waters, meanwhile
believes that going public about the vulnerabilities forced St Jude Medical to
take swifter action to fix them, and feels that the fixes do not go far enough:
“…had we not gone public, St. Jude would not have
remediated the vulnerabilities. Regardless, the announced fixes do not appear
to address many of the larger problems, including the existence of a universal
code that could allow hackers to control the implants.”
Researchers claim that the St Jude Medical devices
use very weak authentication, opening up potential opportunities for
non-hospital staff to hack a home device into sending electrical shocks and
malicious firmware updates to vulnerable implanted devices.
While more investigation is conducted into how the
implanted devices themselves might be made more secure, patients are urged to
make sure that their Merlin@home units are plugged in, and connected a phone
line or cellular adapter to receive the current and future security updates
automatically.