A number of implantable cardiac devices made by St. Jude Medical had several vulnerabilities that hackers could have used to harm patients, the U.S. Food and Drug Administration's announced this week, providing yet another example of the risks posed by the rapidly expanding universe of connected devices. Here are the key details from the FDA's announcement:
Many medical devices—including St. Jude Medical's implantable cardiac devices—contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits. As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates.
The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient's physician, to remotely access a patient's RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.
No patients have been harmed by the vulnerabilities, the FDA said. The software patch has been pushed out automatically to patients and caregivers.
Analysis: IOT market pressures are trumping safety and code quality
The FDA's announcement hits close to home for Constellation Research VP and principal analyst Steve Wilson, who was part of the team that wrote the code for the world's first software-controlled implantable defibrillator—Telectronics model 4210, released in 1990.
"I can tell you, hacking that thing was not possible," says Wilson, who leads Constellation's research into security and privacy issues.
That's because the first implantable cardioverter defibrillators (ICDs) used proprietary telemetry protocols, and came about before the days of WiFi and Bluetooth. There also wasn't a great deal of data to upload, so a home-grown, specific electromagnetic communication protocol was fine, and inherently secure, Wilson explains.
In addition, each company's telemetric programmer—the machine used by nurses and cardiologists to talk to the implants—was also proprietary. "If you visited a pacemaker clinic, you'd see a dozen or more of these computer-sized special purpose devices, taking up space, each working in a different way," Wilson says.
Over time, pressure mounted to standardize networking due to the cost of software development, the cost of peripheral equiment and operator convenience, he adds.
"What we have now is unbelievably complex multilayered software, built with many general purpose commercial components, like networking interfaces and operating systems," Wilson says. "They've been put together into a medical product to meet a range of competing concerns: quality and safety, time to market, cost of development, maintainability, serviceability and so on. It seems to me that over time, some of these considerations have been allowed to trump security, safety and quality."
The very idea the St. Jude devices needed to be patched is obscene, in Wilson's view. "These things should not be so complicated that they need patching," he says. "They should not have been allowed to grow into flabby general-purpose computers. They didn't have to be made from commercial PC components."
There is a message here for code complexity in all of the Internet of Things, Wilson says.
"'Things' are things," he says. "Consumers—and cardiac patients—are having general-purpose computers inflicted on them, when what they want is just a toaster, or a pacemaker, or a car. Nobody is talking yet about the balance between functionality, reliability and security. Nobody is facing up to the penalties incurred when we let smart devices be built so expeditiously."
24/7 Access to Constellation Insights
Subscribe today for unrestricted access to expert analyst views on breaking news.
