How a Medical Device Vulnerability Can Compromise PrivacyResearcher Billy Rios Discusses Findings of Research on Pacemaker Programming Device Woes
Medical device cybersecurity scrutiny usually focuses on potential patient safety issues. But vulnerabilities identified in a cardiac pacemaker programming device illustrate the risks also posed to patient data privacy, says Billy Rios, a researcher who discovered the problem.
Vulnerabilities identified by Rios and his colleague, Jonathan Butts, last year while examining Boston Scientific cardiac pacemaker programming devices - the Zoom Latitude Programmer/Recorder/Monitor Model 3120 - resulted in the Department of Homeland Security recently issuing a security alert.
In its alert, DHS's Industrial Control Systems Cyber Emergency Response Team describes how physicians use the portable cardiac rhythm management systems - or programmer - for implanted pacemakers and defibrillators. The vulnerabilities spotlighted in the alert involve the Boston Scientific device using "a hard-coded cryptographic key to encrypt protected health information prior to having data transferred to removable media." Use of such a key significantly increases the possibility that encrypted data may be recovered. The alert also notes that the "device does not encrypt PHI at rest."
Although that Boston Scientific cardiac programming device is not network accessible and the identified vulnerabilities are not remotely exploitable, the problems found by Rios and Butts could enable a potential attacker with physical access to the device to obtain patient data, the alert says.
More to Come?
The specific Boston Scientific PRM model that is the subject of the ICS-CERT alert is among a variety of vendors' programming devices that Rios and Butts purchased from online auction sites for their security research, Rios explains in an interview with Information Security Media Group.
"The [vulnerable] PHI [cryptographic] key that we saw on the [Boston Scientific] programmer, that's just the first of others to come," Rios warns, adding that various vulnerabilities the researchers found on other vendors' programming devices could also potentially result in additional government alerts.
"For some of the [resold] programmers, we actually found real patient data on them. So, when you look at the ICS-CERT advisory for the Boston Scientific programmer, you see that we basically have the key to decrypt the different pieces of data on [that] programmer."
The researchers' finding of actual patients' PHI - including names and Social Security numbers - on some of the examined resold devices suggests that there are not only weaknesses in the products' design and features, but also point to sloppy practices by some healthcare entities that neglect to erase patient data before getting rid of the products, Rios says.
"That means anyone could have literally purchased these [used] devices and gotten this patient data off of these devices," he says.
"So if you're a hospital or a health delivery organization ... when you go to the end of your device life cycle, when you turn the device in or dispose of it, you need to be sure your hospital's or patients' data is not on those devices," he says. "If those devices end up on an auction website ... or given to someone who's not supposed to have it, and your hospital's data is on there, that can put you at a lot of risk."
Boston Scientific Responds
In a statement provided to ISMG, Boston Scientific says the company "rigorously" evaluates the security of its rhythm management devices through a comprehensive security risk assessment process, aligned with the Food and Drug Administration's guidance.
"The ICS-CERT advisory highlights the importance of physical security in mitigating the risk of unauthorized users accessing patient data stored on a medical device - much like a laptop left in an open space is at risk of a security breach," Boston Scientific says.
"The findings of the advisory do not impact patient safety, and in order to reduce risk of exploitation of protected health information, programmers and any related data storage drives should be physically secured and patient data should be removed from the device before it is retired."
In the interview (see audio player below photo), Rios also discusses:
- Medical device cybersecurity problems that result in patient safety versus data security risks;
- Whether the issues the two researchers identified are common to other types of medical devices;
- The prospect of additional security or safety alerts from government agencies resulting from the research.
Rios is the founder of information security research firm WhiteScope, based in Half Moon Bay, Calif. His previous roles included director of vulnerability research and threat intelligence for Qualys, global managing director of professional services for Cylance, and "security ninja" for Google. He's also served as an officer in the U.S. Marines and worked as an information assurance analyst for the U.S. Defense Information Systems Agency.