- Attackers with physical access to the Biosense Webster CARTO 3 version 4 (V4) heart imaging device could exploit cybersecurity vulnerabilities in the operating system to access protected health information (PHI) stored on the device, warned the Industrial Control Systems Cyber Emergency Response (ICS-CERT) in an April 17 advisory.
The attackers could also degrade the device’s integrity, deny availability of the device, or gain access to other systems within the user’s network if the device is connected.
At the same time, the advisory said that the network interface for CARTO 3 V4 is restricted by a software firewall that provides “reasonable assurance” that it will not be exploited remotely or through malware or ransomware if the device is connected to a network.
ICS-CERT warned that exploits targeting the CARTO 3 V4 vulnerabilities exist and are publicly available.
According to Biosense Webster, CARTO 3 is deployed across the healthcare and public health sector primarily in the United States, Asia, Europe, Middle East, and Africa.
“The CARTO 3 System is an advanced imaging technology that utilizes electromagnetic technology to create real-time three-dimensional (3D) maps of a patient’s cardiac structures,” explained a fact sheet from Biosense Webster, a Johnson & Johnson company.
“The system is designed to help electrophysiologists navigate the heart by generating an accurate 3D map, as well as pinpointing the exact location and orientation of catheters in the heart during diagnostic and therapeutic procedures for patients suffering from heart rhythm conditions (cardiac arrhythmias),” it added.
The National Cybersecurity and Communications Integration Center (NCCIC) recommends that CARTO 3 users take defensive measures to minimize the risks from these vulnerabilities. Specifically, users should:
• Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the internet
• Locate all medical devices and remote devices behind firewalls and isolate them from the business network
• Use secure methods, such as virtual private networks (VPNs), when remote access is required, recognizing that VPNs may have vulnerabilities and should be updated to the most current version available
Biosense Webster also makes software modules for the CARTO 3 System that enable advanced cardiac visualization to enhance clinicians’ ability to diagnose and treat heart rhythm disorders.
These modules also provide electrophysiologists access to visual information including the ability to tag, or label, lesions to keep track of treatment strategies for individual patients.
This is the second group of cardiac medical devices identified by the US government as having significant cybersecurity vulnerabilities this week. The Food and Drug Administration flagged cybersecurity vulnerabilities in Abbott Laboratories’ implantable cardiac defibrillators.
The FDA warned that hackers could gain access to the defibrillators through the devices’ radio frequency (RF) communications using commercial available equipment and issue commands, change settings, or perform other actions that could interfere with the function of the devices.
A recent report by the Royal Academy of Engineering explained that vulnerable medical devices are a growing problem in the digital healthcare environment.
The report noted that connected medical devices range in scale and complexity from implantable devices such as cardiac pacemakers, drug administration devices and monitoring devices to nonimplantable devices such as infusion pumps, defibrillators, glucometers, and blood pressure measurement devices.
Connected medical devices also include large-scale hospital equipment such as MRI scanners and x-ray machines. Medical devices may be connected into a network to carry out remote diagnostics of the equipment or for remote monitoring of patients.
“A central challenge is to produce trustworthy, regulated products that work to medical standards and have good cybersecurity, but at the speed, efficiency and price of consumer products,” the report explained.
It is a challenge for hospitals to specify security requirements when procuring health devices. It may be clinicians undertaking procurement, who are not experts in cybersecurity.
Training of clinical professions in areas such as data literacy and cybersecurity could help. In addition, professional engineering institutions could help spread the word about security best practice and facilitate cross-sectoral learning, the report concluded.