- A Boston Scientific medical device was found to have a vulnerability that could compromise PHI security, according to Whitescope researchers Jonathan Butts and Billy Rios.
The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) stated in an online advisory that two vulnerabilities were found in Boston Scientific’s ZOOM LATITUDE Programmer/Recorder/Monitor (PRM) – Model 3120.
The ZOOM LATITUDE PRMs are “portable cardiac rhythm management systems used to communicate with implanted pacemakers and defibrillators,” according to ICS-CERT.
“The affected device uses a hard-coded cryptographic key to encrypt PHI prior to having it transferred to removable media,” the advisory warned. “The affected device does not encrypt PHI at rest.”
The vulnerabilities do require physical access, ICS-CERT added, and there are currently no known exploits of the vulnerabilities. An attacker with a low skill set could also potentially exploit the found vulnerabilities.
Boston Scientific has issued the following controls to reduce the PHI security risk:
- Control access to the device and ensure all access is properly inventoried
- Maintain the device in a secure or locked location when not in use
- Remove PHI prior to retiring or removing the device from the facility. Instructions for removing PHI are outlined in the operator’s manual.
ICS-CERT also stressed the need for organizations to perform an impact analysis and a proper risk assessment before conducting any defensive measures.
Having a comprehensive security risk assessment process is part of the standard procedure for rhythm management devices, a Boston Scientific spokeswoman told the Minneapolis Star Tribune.
"We rigorously evaluate the security of our rhythm management devices through a comprehensive security risk assessment process, aligned with the FDA's guidance," the statement read. "The ICS-CERT advisory highlights the importance of physical security in mitigating the risk of unauthorized users accessing patient data stored on a medical device — much like a laptop left in an open space is at risk of a security breach."
With the device in question not being designed to be network accessible, healthcare organizations should ensure that they are using their medical devices only for their intended use. More entities are beginning to consider Internet of Medical Things (IoMT) devices, but cybersecurity issues cannot be overlooked.
Two lawmakers recently introduced legislation that aims to centralize current and relevant frameworks, guidelines, and standards for IoMT devices.
The Internet of Medical Things Resilience Partnership Act will help identify security gaps and find “actionable solutions while providing a framework for IoMT developers for which to reference,” according to Rep. Dave Trott and Rep. Susan Brooks.
The Food and Drug Administration (FDA) and NIST should also “establish a working group of public and private entities to develop recommendations for voluntary frameworks and guidelines to increase the security and resilience of networked medical devices sold in the United States that store, receive, access, or transmit information to an external recipient or system for which unauthorized access, modification, misuse, or denial of use may result in patient harm.”
Brooks added in a statement that the need for secure medical devices increases as more devices are being implanted into patients.
“Bad actors are not only looking to access sensitive information, but they are also trying to manipulate device functionality,” she said. “This can lead to life-threatening cyber-attacks on devices ranging from monitors and infusion pumps, to ventilators and radiological technologies.”
Trott added that existing security frameworks leave sensitive medical data vulnerable by “failing to adapt to technological innovation.”
“In our nation’s hospitals, technology has helped provide better quality and more efficient health care, but the perpetual evolution of technology – its greatest strength – is also its greatest vulnerability,” Trott stated.