'Thousands' of known bugs found in pacemaker code

  • Published
Pacemaker scarImage source, Science Photo Library
Image caption,
Pacemakers and gadgets used to monitor them take few steps to secure data

Pacemakers, insulin pumps and other devices in hospitals harbour security problems that leave them vulnerable to attack, two separate studies warn.

One study solely on pacemakers found more than 8,000 known vulnerabilities in code inside the cardiac devices.

The other study of the broader device market found only 17% of manufacturers had taken steps to secure gadgets.

The reports come soon after more than 60 health organisations in the UK fell victim to a cyber-attack.

Urgent need

The report on pacemakers looked at a range of implantable devices from four manufacturers as well as the "ecosystem" of other equipment used to monitor and manage them.

Researcher Billy Rios and Dr Jonathan Butts from security company Whitescope said their study showed the "serious challenges" pacemaker manufacturers faced in trying to keep devices patched and free from bugs that attackers could exploit.

They found that few of the manufacturers encrypted or otherwise protected data on a device or when it was being transferred to monitoring systems.

Also, none was protected with the most basic login name and password systems or checked that devices they were connecting to were authentic.

Often, wrote Mr Rios, the small size and low computing power of internal devices made it hard to apply security standards that helped keep other devices safe.

Image caption,
The UK's NHS was hit hard by the WannaCry worm in early May

In a longer paper, the pair said device makers had work to do more to "protect against potential system compromises that may have implications to patient care".

Mr Rios said all the problems he and his co-workers uncovered had been reported to the US Department of Homeland Security, which oversees companies that make medical devices.

The separate study that quizzed manufacturers, hospitals and health organisations about the equipment they used when treating patients found that 80% said devices were hard to secure.

Bugs in code, lack of knowledge about how to write secure code and time pressures made many devices vulnerable to attack, suggested the study.

Despite acknowledging these problems, only 9% of device makers and 5% of health organisations tested equipment annually for potential security vulnerabilities, it found.

A higher percentage of makers, 17%, took steps to secure the equipment they made.

The study found that 49% of manufacturers were not using advice from the US Food and Drug Administration about how to secure devices.

"The security of medical devices is truly a life or death issue for both device manufacturers and healthcare delivery organisations," said Dr Larry Ponemon, co-author of the study, with security company Synopsys.

"It is urgent that the medical device industry makes the security of its devices a high priority," he said.