I think some time ago, I wrote blog or something along the lines of Cyber security in the healthcare industry. I can’t remember what the exact content was, but I am sure it had something to do about the need for layers of Security, in order to come into the stringent requirements of HIPAA. Well today, as I was looking around the news headlines of what to write about today, this same issue came up again.
It has not so much to do with HIPAA, but with the actual medical devices themselves. As you can imagine, even the world of medical technology, just like that of the Smartphone has changed drastically, and has become very sophisticated as well. Many of these devices can now be operated by a remote-control frequency, and because of that, the need to visit a specialist on a regular basis decrease.
Such is the case of a medical entity known as “Medtronic”. They are the provider of a device which is known as “CareLink”, and these are used to program the pacemakers that are implanted into patients. In response to the Cyber threat landscape, this company has disabled the internet update functionality of two of its devices.
This quite surprising move came after Medtronic, in conjunction with the U.S Food and Drug Administration (FDA) discovered that there are serious vulnerabilities that exist in the software update process. This in turn, could be prone by a Cyber-attack. The specific vulnerabilities include the following:
*The ability for just about anybody to update the pacemaker of a patient with software that is not created by Medtronic;
*Because of the above, a patient can be at grave risk for being the victim of a Cyber-attack, and in the end, could result in great harm, and perhaps even death, depending upon the health condition of the patient.
The affected products include those of the Medtronic’s Carelink 2090 and Carelink Encore 29901 programmer devices. The exact statement from the FDA regarding this can be seen at this link below:
These devices are used during the pacemaker implantation process and for the regular follow-up visits for Medtronic “Cardiac Implantable Electrophysiology Devices”, also known as “CIEDs”. These include the following:
*Cardiac resynchronization devices;
*Insertable cardiac monitors.
Also, these programmable devices allow the patient’s doctor collect other relevant information and data such as the overall health condition of the patient, the power status of the device, etc. They can also be adjusted and/or reprogrammed based upon the overall health trend of the patient.
More importantly, any firmware upgrades or software updates can be delivered remotely (via a wireless connection). This is where the main vulnerability lies at, and which a Cyber attacker can take full advantage of.
It is important to note that the software upgrades are not truly proprietary in nature (because they can be downloaded from the Internet), which makes them even more prone to further attacks in terms of a Web application standpoint, such as malware, spyware, SQL Injection Attacks, Cross Site Scripting, etc.
But in an effort to fortify the wireless connection Medtronic implemented the use of Virtual Private Networks (VPNs). As I have written about before previously, VPNs provide one of the best means of security in terms of network connections – it literally masks the line of communications, so that it will be invisible to the outside world.
In this particular case, it is the actual download process of the software updates and their deployments that would be made invisible to the outside world. But for some reason or another, these devices could not actually confirm that a VPN connection had been established. This was another reason why the FDA decided to put a freeze on these two products.
My thoughts on this?
Well, I think that it is very scary indeed. I am a heart patient myself, but fortunately, I do not have any pacemakers that are installed in me. Just five coronary grafts. We keep hearing about Cyber attacks affecting IT systems and critical infrastructure, but this one literally impacts the human being.
Just imagine, that you are walking down somewhere, where you have no access to anything that is pubic. All that you have is your Smartphone. Just imagine all of a sudden, your pacemaker is hit either indirectly or directly by a Cyber-attack, and you drop to the ground. What can you do? All you can really hope to accomplish is that you can actually make an emergency 911 call on your Smartphone, and hope and pray that help comes quickly.
There are only a few minutes where the human body can survive without a heartbeat until damage to the brain occurs or death could even follow. As much as we address the importance of protecting patient information and data, this topic also needs to be quickly addressed, and also immediately resolved.
I never realized that this kind of Cyber-attack could actually happen until I read the article. In the end, anything and everything is vulnerable to a hack, even to our own physiological selves. This really a very, scary thing to happen to anybody. This issue needs to be brought into the limelight, and literally should be made a part of trying to fortify critical infrastructure.
In other words, it does not just simply involve the water supply and electric grids – it should also include our medical infrastructure as well, at least when it comes to medical devices.