Hackers take aim at common medical devices

Busy heart hospitals and clinics often have a procedure room where pacemaker and defibrillator patients go to get regular checkups on the small computers implanted inside their chests.

Lately, device companies have been reminding doctors to make sure to lock the doors and cabinets in those rooms, as reports surface that the machines used to conduct the device checkups could be vulnerable targets for hackers and thieves.

Since 2016, all three U.S. makers of pacemakers and defibrillators, all with major operations in Minnesota, have had cybersecurity warnings issued for the machines used by doctors to program and test implanted heart devices. Medtronic acknowledged a vulnerability in its programmer on Feb. 27, and Boston Scientific acknowledged a vulnerability in October. Both said the security issues presented little or no risk to patients when the Homeland Security Department publicized the issues.

St. Jude Medical, meanwhile, opted to sue the researchers and investors who claimed the med-tech company's in-office programmers and at-home bedside monitors were surprisingly vulnerable to malicious computer hacking. Abbott Laboratories, which acquired St. Jude in 2017, quietly settled that litigation last month after issuing a series of software updates and vulnerability disclosures.

"Connected devices and remote monitoring have done so much to advance patient care in recent years," said Kelly Morrison, a spokeswoman for Abbott Laboratories. "With any connected device, whether medical or nonmedical, there is always going to be some level of security risk. … We as an industry need to be vigilant about including the latest security protections in our products and updating them as technology evolves or as new vulnerabilities are identified."

The U.S. health care market is home to many thousands of these cardiac-device programmers, which look like laptop computers and are designed to communicate wirelessly with implanted pacemakers and defibrillators. The programmers are intended to be used in an operating room when a device is implanted, and in a medical exam room during regular checkups.

They are not supposed to be sold online, where anyone could buy one and tear it apart. However, the Star Tribune found several available online as of Friday afternoon.

Heart-device programmers are designed to be compatible with many different versions of one company's implanted devices. No programmer today can communicate with different companies' devices. Manufacturers make them available to hospitals and clinics at no charge, and then lump the costs into the price tag for a pacemaker or defibrillator.

Device manufacturers say the in-office programmers that communicate with implanted heart devices would be of little use to a hacker who wanted to harm a patient. Dr. Jay Sengupta, co-director of the cardiac device clinic at Abbott Northwestern Hospital, agreed: "You have to go to a patient, put the wand over their pacemaker or defibrillator, and confirm the device model. Then the programmer essentially starts to communicate and download information," he said.

Yet, independent computer hackers continue to buy used programmers from internet sites and exploit vulnerabilities to access patient data or network passwords.

"Things tend to fail at the interfaces. So if you're looking for fruit as a researcher, you generally want to look where systems interact," said longtime med-tech security researcher Ben Ransford, CEO of cybersecurity firm Virta Labs.

"The [Medtronic] programmer plays a crucial role in care, and also appears to be a Windows XP machine. … It looks like a pretty juicy target to an attacker. So I'm not at all surprised with the focus on this one."

Medtronic said last week that a vulnerability in its CareLink 2090 programmer could not affect patient health.

The researcher who brought the issue to light, Billy Rios, disagrees. When Medtronic said it had disproved Rios' allegation, Rios said his firm had already discovered a different "exploit chain" using the same vulnerabilities to allow a malicious hacker to change a patient's therapy settings without their knowledge.

"We completed an assessment of [Rios' vulnerability report] and outcomes are reflected in the associated [Homeland Security] advisory jointly approved by Medtronic and Mr. Rios," Medtronic spokeswoman Kathleen Janasz said via e-mail Friday. "Researchers play an important role in the security field. While we don't always agree, we believe their contributions overall can be valuable in identifying potential security vulnerabilities."

There has never been a confirmed report of a hacker compromising a medical device with the intent to harm a patient, which some researchers say shows that the security system in place is working.

The Securities and Exchange Commission said last month that cybersecurity risks pose "grave threats" to investors and the nation. Yet one prominent med-tech stock analyst, who wasn't authorized to talk on the record, said investors are not closely tuned in to the issue.

Although St. Jude's stock did drop after the cyber-vulnerabilities in its devices were revealed in August 2016, Abbott's offer to acquire the company didn't change, and the roughly $25 billion deal went through as expected in January 2017.

The St. Jude vulnerabilities appeared to be the most serious of the three major U.S. pacemaker companies. Abbott says it has taken several steps to mitigate the risks, including those from vulnerabilities in its Merlin PCS programmers.

Before the fixes were applied, researchers with the firm MedSec Holdings said a malicious hacker could have used weaknesses in the system to "reverse engineer" programs on the device and then cause it to issue unintended commands to an implanted pacemaker.

That account was verified by a team of independent researchers with the firm Bishop Fox, whose report is public as part of the now-settled lawsuit.

In October 2017, Boston Scientific confirmed that its Zoom Latitude programmers contained vulnerabilities that would allow someone to obtain a patient's personal health information if the device fell into the hands of a hacker. The company advised doctors to keep the programmer in a secure or locked location and erase the health data before removing it from the facility.

On Feb. 27, Medtronic confirmed that its CareLink 2090 programmer harbored vulnerabilities that would let a hacker obtain credentials for its software-update network, allowing an attacker to read material on the network, but not "write" to the network. Security researcher Rios has said other vulnerabilities do allow write access, but they are in the process of being confirmed and mitigated.

Security experts say there will always be tension between the cyber protections in heart devices and the health benefits of wireless access to them. Mark Lanterman, chief technology officer with Computer Forensic Services in Minnetonka, said gains in convenience often mean small losses of security, which is why vigilance is needed.

"They all could do a better job with respect to security," Lanterman said. "But I think that by continuing to call them out and pointing out the shortcomings, they are going to come around. Because they don't want a patient to be hurt, either."

Joe Carlson • 612-673-4779