Implantable Cardiac Devices Could Be Vulnerable To Hackers, FDA Warns

The U.S. Food and Drug Administration warned on Monday that pacemakers, defibrillators and other devices manufactured by St. Jude Medical, a medical device company based in Minnesota, could have put patients' lives at risk, as hackers could remotely access the devices and change the heart rate, administer shocks, or quickly deplete the battery. Thankfully, St. Jude released a new software patch on the same day as the FDA warning to address these vulnerabilities. Motherboard reports: St. Jude Medical's implantable cardiac devices are put under the skin, in the upper chest area, and have insulated wires that go into the heart to help it beat properly, if it's too slow or too fast. They work together with the Merlin@home Transmitter, located in the patient's house, which sends the patient's data to their physician using the Merlin.net Patient Care Network. Hackers could have exploited the transmitter, the manufacturer confirmed. "[It] could (...) be used to modify programming commands to the implanted device," the FDA safety communication reads. In an emailed response to Motherboard, a St. Jude Medical representative noted that the company "has taken numerous measures to protect the security and safety of our devices," including the new patch, and the creation of a "cyber security medical advisory board." The company plans to implement additional updates in 2017, the email said. This warning comes a few days after Abbott Laboratories acquired St. Jude Medical, and four months after a group of experts at Miami-based cybersecurity company MedSec Holding published a paper explaining several vulnerabilities they found in St. Jude Medical's pacemakers and defibrillators. They made the announcement at the end of August 2016, together with investment house Muddy Waters Capital.

Re:The FDA is part of the problem.

[geekmux]

...And, why is the FDA pointing a finger at device manufacturers, whey they themselves are responsible for device approval and should have identified these issues before giving that approval?

Because the FDA does not maintain an elite army of Cyberhackers. That's why.

Either they're responsible for ensuring that devices are safe, or they're not. They can't have it both ways. Your government at work.

Divisions of the government that do maintain Cybersecurity divisions have been hacked, as well as the corporate sector. Even the most accelerated plan to approve changes may not be fast enough to keep up with potential threats and discovered vulnerabilities.

Perhaps the ultimate answer is to not tie every fucking thing to the damn cloud.

I know, I know. Fuck the inherent risks, because whoring out our digital lives is worth it every time.

Re:More than decade old news

[rmdingler]

So, just like every internet accessible medical device ever.

IoT

[e**(i+pi)-1]

= " I opt for a Tomb"

A lack of software freedom can be lethal & sca

[jbn-o]

Karen Sandler, Executive Director of the Software Freedom Conservancy, has an enlarged heart (hypertrophic cardiomyopathy) and is at risk of suddenly dying (due to a medical condition called "sudden death"). She has no symptoms. She has given a talk about this many times at tech conferences, you should be able to find a copy of her talk online quite easily. She calls herself a "cyborg lawyer running on proprietary software" because she needs to wear a pacemaker/defibrillator device on her heart which keeps her heart beating within a predetermined acceptable range (not too slow, not too fast) by shocking her heart until it beats at an acceptable rhythm. Sandler said she's been shocked before and it's like being kicked in the chest and it takes the wind out of her for a while, requiring her to take some time for recovery.

She knew of software freedom and figured on these weaknesses in these devices, some of which can be controlled remotely at some distance, because all of them run on proprietary software. She tried to get the source code, even offering to sign a non-disclosure agreement to do so, and nobody would share the code with her. She said she was the only one to ask her doctors about what ran on the device. She therefore chose an older model which requires the "programmer" device which sends a signal to the pacemaker/defibrillator be quite close to her body so that she'd probably know if someone were doing things to her device. The lack of software freedom and full user control (ownership) of the device is quite obviously a health risk and possibly lethal. Don't let anyone tell you a lack of software freedom isn't serious.

An interesting thing happened during her pregnancy, which she explained in an update to her talk: She learned that a pregnant woman's heart sometimes naturally races. For most women of childbearing age this isn't a problem as they're unlikely to need a pacemaker/defibrillator, so their heart can occasionally race without serious consequences. For Sandler this racing triggers the device to shock her back into an "acceptable" heart rhythm. It appears that the pacemaker/defibrillator device makers didn't test this device on women young enough to be of childbearing age but they're apparently happy to sell the devices for implanting into users of any age. This lack of testing in combination with the lack of software freedom means the device manufacturers aren't doing due diligence and they're preventing younger women, such as Sandler, from looking out for their own interests—avoiding "sudden death". One can only imagine what horrible multiply lethal outcome could predictably result for a pregnant woman with the same condition Sandler has whose heart races when she was driving while receiving a shock from her non-free pacemaker/defibrillator device. Don't let anyone tell you a lack of software freedom isn't serious.

What made anyone think they weren't ?

[Crashmarik]

I know I can't think of any internet connected system that doesn't have potential vulnerabilities. Why would anyone think medical devices were some sort of magical exception ?

Re:The FDA is part of the problem.

[skids]

This is a silly argument you are making. Compliance to legal and policy requirements do not have to be validated by the enforcing agency. If they did, we'd have to hire people to stand in your driveway and check that your seatbelt was buckled every time you drove off.

So medical researchers don't understand security.

[mmell]

During development of these devices, I suspect that if the software developers ever tried to raise security concerns, they were (correctly) told to worry about that after they had a device that could save lives. Not unlike documentation, once the miracle gizmo has made it past the FDA (I.e., gone into production), going back to fix kludges and clean up dirty code slides wa-a-ay down the list of priorities. Happens all the time in IT.

True story.

Re:The FDA is part of the problem.

[phantomfive]

I don't trust the FDA. I know what you are talking about, I've worked in the medical device industry, and it's a serious pain to get device approval, and the approval doesn't mean the code quality is good.

That said, I trust the manufacturers even less, because I've worked with them. If you let them do easy OTA updates the way we update cell phones, you'll end up with a bunch of people dropping dead on February 29th.

Re: Record and Replay

[GuB-42]

Pacemakers aren't that radioactive. They are on similar level as tritium tubes used for illumination. You need lots and lots of them to do a meaningful dirty bomb, and it isn't the right isotope for fission bombs.
As for banning them, are they really banned? There are many reasons why they aren't used anymore :
- improvement in lithium battery technology
- life expectancy of people with pacemaker is relatively low on average. So in most case, the extreme battery life of nuclear pacemaker is not needed.
- pacemaker technology constantly evolves so changing an old pacemaker has benefits beyond the battery
- plutonium-238 is becoming more and more expensive and hard to find, even space agencies have trouble getting it

Re:Reaction from Slashdot users

[TheRaven64]

Anyone who manages to get Linux running on a pacemaker deserves a lot of credit. These devices consume an order of magnitude or two less power than the smallest systems to run Linux.

Re:The FDA is part of the problem.

[TheRaven64]

I agree with your heading, but not with the rest of your post. The problem is that the FDA requires that the company have the software certified as safe by a third party, but places very few rules on what this entails. In a lot of cases, the people certifying the software don't even have access to the code: they read the design docs, but nothing else. There's no red teaming of medical device software before widespread deployment and no auditing by the FDA. The FDA is happy to certify such devices as 'safe' with nothing like enough information to be able to honestly make that claim.

Re:The FDA is part of the problem.

[geekmux]

If the FDA is going to regulate this sort of thing, they'd better get some experts in.

After careful analysis, the expert steps up to the FDA Directors desk with a single sheet of paper. It reads:

To Whomever is Pretending to Be Concerned,

Stop putting every fucking thing in the damn cloud.

Sincerely,

Common F. Sense