The Dept. of Homeland Security said this month it discovered vulnerabilities within Boston Scientific‘s (NYSE:BSX) Zoom Latitude programmer designed to communicate with implantable pacemakers and defibrillators, warning of exploits that could allow access to personal health information.
In its report, the DHS’s Industrial Control Systems Cyber Emergency Response Team said it found 2 vulnerabilities in all models of the Zoom Latitude PRM model 3120 which could allow an attacker with low skill to gain access to patient health information.
To exploit the vulnerabilities, however, the attacker would have to have physical access to the unit as the “affected device is not designed to be network accessible,” according to the report.
To that end, the DHS said that Boston Scientific will not be issuing an update to the product, but recommended measures including controlling access to the device and storing it in a locked location when not in use. The Marlborough, Mass.-based company also advised users to remove patient health information from the device before discontinuing use or retiring the systems.
“We rigorously evaluate the security of our rhythm management devices through a comprehensive security risk assessment process, aligned with the FDA’s guidance. The ICS-CERT advisory highlights the importance of physical security in mitigating the risk of unauthorized users accessing patient data stored on a medical device — much like a laptop left in an open space is at risk of a security breach,” a Boston Scientific spokeswoman told the StarTribune via email this week, according to their report on the vulnerabilities.
The ICS-CERT team did not advise that physicians stop using the device, and advised anyone who suspects malicious activity to report it to them for tracking and investigation.
Last week, a federal appeals court upheld a plaintiff’s $27 million win over Boston Scientific in a product liability lawsuit brought over its Pinnacle pelvic mesh.