The FDA issued a recall on Merlin@home remote monitoring systems and implantable cardioverter defibrillators (ICD) by Abbott (St. Jude Medical) due to fear of hacking.
The FDA Recall
The U.S. Food and Drug Administration (FDA) has issued a recall on nearly half a million implantable cardioverter defibrillators (ICD) and Merlin@home devices.
The details released in a Safety Communication by the FDA on April 17th, 2018, include battery performance as well as firmware updates for certain devices made by Abbott (formerly St. Jude Medical).
The FDA says that Abbott’s implantable cardioverter defibrillators (ICDs) and cardiac resynchronization therapy defibrillators (CRT-Ds), which are devices that help pace the beating hearts of patients (slow or fast) and provide electrical shocks and are implanted under the skin, need corrective firmware updates to protect patients from premature battery depletion and potential exploitations of cybersecurity vulnerabilities.
The release also includes devices from a previous Premature Battery Depletion Recall in October 2016, which interestingly enough, covers a similar issue which essentially lead to lithium clusters forming in the battery, short circuiting and failing to deliver life-saving services to the patient if the patient is unable to have the battery replaced quickly enough. In such an event, the flaw could lead to patient death.
The vulnerabilities were discovered by Medsec, a leading vulnerability research and security solutions provider for healthcare manufacturers, vendors, and providers, but later confirmed by Bishop Fox.
The 2016 expert witness report from Bishop Fox’s Carl D. Livitt, on October 23, found that the protocol, or method (channel) of communication, that is used by the Merlin@home and cardia devices to communicate, is fundamentally flawed in both its design and implementation. This would allow hackers to repurpose the Merlin@home devices to essentially emulate a programmer and send shocks to patients.
This is made possible by what is essentially an authentication backdoor. In hacking, a backdoor is a mechanism by which one can sidestep safety measures put in place to protect a device. Like the backdoor to your house, which for many people is typically less secure and often left unlocked, a backdoor into a system or device would allow an attack easier access than the protected methods in place.
How would you like to have on of those that can lead to your heart?! Probably would not be a good idea. Probably…
A Deeper Problem?
This, however, could be a consistent issue with medical equipment. It is not uncommon for a hospital or medical facility to have many versions (both physical, or model, and firmware) of the same equipment. This can be a nightmare for medical personal and hospital IT to sort out and insure they are always safe and up-to-date particularly because at any given time, devices are checked out to patients and many of those devices, particularly newer models, have remote monitoring features that could leave them vulnerable to remote hacking attacks.
It might be hard to see how hacking medical equipment can be lucrative for the average hacker, but this is not hard to see for government, private entities, stock manipulators, and other criminals with the intention to kill.
It is important that companies, young and old, keep a close eye on their hardware and employ cybersecurity professionals and white hat hackers, ethical hackers, to assist in the discovery of such vulnerabilities before they can be used to do real harm.