Medical Devices: Care Benefits vs. Cybersecurity RisksResearcher Billy Rios Discusses Findings of New Study of Cardiac Devices
Manufacturers of connected medical devices need to more carefully consider the compromises they make in balancing the usability benefits to patient care versus the cybersecurity risks, says security researcher Billy Rios.
Rios and his colleague, Jonathan Butts of the security research firm WhiteScope have released preliminary findings of a study that examined the security of the implantable cardiac devices and related systems from four vendors. The research turned up over 8,000 "known vulnerabilities" in pacemaker systems and related third-party software libraries, Rios says. Problem areas included, for example, lack of encryption and authentication and bugs in code.
The study's findings also re-emphasize the industrywide challenges in keeping systems updated and patched, he adds.
The four manufacturers were not identified in the report, but the researchers contacted the vendors, as well as federal regulators, including the Department of Homeland Security, about their findings of security problems, Rios explains in an interview with Information Security Media Group.
"We did not want to call-out or shame any particular vendor for the way that they did something," he says. "But that's not to say we didn't come across specific vulnerabilities in specific vendor implementations. Those issues were handled separately," he says. For instance, DHS' U.S. Computer Emergency and Readiness Team is "working through those for coordinated disclosure" with the appropriate vendors, he notes.
In conducting the study, the researchers obtained products via third-party marketplaces, such as auction websites. Those products include programmers, which physicians use in their diagnosis and the programming of implantable cardiac devices; home monitoring devices; and implantable cardiac devices, including cardioverter defibrillators and pacemakers.
"Conceptually, the four major vendors employ a similar architecture framework, including communication protocols, device intercommunications, embedded device hardware, and device authentication," the report notes.
The analysis revealed potential security risks stemming from the underlying protocols and system-to-system communications involving embedded devices, the report notes. "To mitigate the potential impact to patient care, it is recommended that vendors evaluate their respective implementations and validate that effective security controls are in place to protect against identified deficiencies that may lead to potential system compromise," the report says.
"We came across some obvious tradeoffs for patient care and cybersecurity. Whether they are considered cybersecurity issues is still up for debate," Rios says. "But there are some definite places where patient care definitely influenced the design of some of these systems."
For example, none of the vendors of device programmers require authentication for programming implantable cardiac devices, Rios notes. As a result, access to a programmer provides the potential for a user to program any supported implantable cardiac device. And that poses security risks.
"That's a decision that was made by each of the manufacturers because it enables a lot of different patient care scenarios and allows a lot of benefits to the patient," he says. "We're not saying that's a flaw or a vulnerability. But that is something people should understand about how these systems work."
A lot of the problems the researchers discovered cannot be easily fixed, Rios notes. "A lot of these decisions involve tradeoffs between what benefits they provide patients and patient care - and what risks they bring up from a cybersecurity perspective," he adds.
Rios hopes the research spurs some conversations about the tradeoffs between patient care benefits and security risks posed by connected medical device systems.
In the interview (see audio link below photo), Rios also discusses:
- The kinds of potential security and privacy risks posed to patient data still stored in medical devices available for sale on third-party marketplaces, such as auction sites;
- How Rios and Butts conducted their examination of the cardiac device products' various components, security features and potential vulnerabilities;
- What's next for the research.
Rios is the founder of information security research firm WhiteScope, based in Half Moon Bay, Calif. His previous roles included director of vulnerability research and threat intelligence for Qualys, global managing director of professional services for Cylance, and as a "security ninja" for Google. He's also served as an officer in the U.S. Marines and worked as an information assurance analyst for the U.S. Defense Information Systems Agency.