Researchers from the security research firm WhiteScope identified cyber vulnerabilities in file system encryption and in the storage of unencrypted patient data across major vendors of implantable cardiac devices, according to the team’s report.
“The findings reveal consistency across all vendors, highlighting the inherent weaknesses in the ecosystem architecture,” the firm wrote.
Previous research has revealed security flaws in cardiac devices, including pacemakers. The WhiteScope researchers bought and evaluated parts of implantable cardioverter defibrillators and pacemakers from 4 major vendors.
Software sold by a company other than the cardiac device vendor is of particular concern. The 3rd party components can have vulnerabilities that go unnoticed or unpatched by the vendor.
The WhiteScope team identified a total of more than 8,000 vulnerabilities in 3rd party components across 4 manufacturers.
“Given the commonality of the findings across different vendors, identification of implementation vulnerabilities as to any one vendor may expose those same vulnerabilities in other vendors and should be considered carefully before public disclosure,” the report said.
The team noted that home monitoring devices, which receive updates using a patient support network, are at risk of receiving counterfeit firmware. Also vulnerable to hackers are hard drives used to program cardiac implants.
According to the study, vendors should assess their systems and use methods such as firmware packing and encryption to make it difficult for hackers to devise counterfeit firmware.
The report comes just weeks after a massive, international ransomware attack reportedly impacted certain medical devices within the U.S. healthcare system.
