Last year, the security issues in the implantable devices has been so popular only because of the threats to patient’s health and safety. In 2016, the MedSec directed an investigation for the pacemaker system that highlighted there were some security issues in the cardiac products from St. Jude Medical. These issues may damage the battery of the devices or the devices too. The working or the functionality of the devices may suffer from this.
Jonathan Butts and Billy Rios belonged to the WhiteScope security research organization. They printed a white paper enlisting the findings of the research. Both of them analyzed seven different cardiac products from 4 product manufacturers. In their analysis, they worked on the implantable heart devices and the house monitoring products.
They purchased all the devices from different auction online shops for the study like eBay. Some of these devices were purchased on the condition that they will return them to the manufacturer when they will be useless for them. The research report stated that, all the manufacturers had enlisted their home monitoring devices for sale on auction sites. During the study, they found many security issues all pacemaker systems.
The information about the pacemaker system was coded and it was stored on the removable devices. Among them, some of the devices contained private information like the SS numbers and medical histories and this data was not coded to support illegal usage. The devices were available to the physicians and they were able to reprogram without any authentication. According to the researchers, all pace maker programmers can reprogram the pace maker system, until it is manufactured by the same supplier.
The pacemaker system’s software contained 8000+ people data in its libraries for all available devices. Among the manufacturers, there was one who had 3,715 susceptibilities in the libraries. The researchers finally concluded that there was a problem updates of software security in all over the industry. According to Butt and Rios, they got almost same findings for all the suppliers. They further recommended that all the vendors should consider their executions and confirm that there are security checks for the issues that may cause problems in the system.
The researchers did not highlighted the specifications for the issues, but they were sent to the Department of Homeland Security’s ICS-CERT. On the other hand, a report is also sent to “appropriate agency” to recover the sensitive information from the patients belonged to East Coast Hospital like SSN.