Cybersecurity Vulnerabilities in Implantable Medical Devices

While digitalization saves lives, it can also put them at risk. The rise in data breaches and cyberattacks targeting the healthcare industry correlates with the number of healthcare facilities connected to the internet and the unsecure technologies they adopt. Implantable medical devices are one of the latest victims of this trend—and their vulnerabilities can be deadly.

Why are hackers targeting implantable medical devices?

According to a report by the U.S. Health Sector Cybersecurity Coordination Center and the Office of Information Security, the frequency of healthcare data breaches has been on an upward trend since 2012. The number more than doubled between 2018 and 2021, an unfortunate milestone — and an indication that the problem will continue to worsen.

It’s no secret that the healthcare industry is amassing a fortune in personally identifiable information (PII) and medical data. In fact, while medical records sell for as much as $250 per record, the next highest target — payment card numbers — fetch just $6 per sale. Value is one of the key drivers of this trend, as attackers can use these files to steal people’s identities, make money on the dark web, or conduct reconnaissance to launch profitable cyberattacks.

Despite decades of privacy and security regulations, hackers often succeed. Healthcare data breaches exposed 385 million patient medical records between 2010 and 2022, compromising the identities and health histories of millions. Information theft is profitable, so they keep coming back. But recently, they’ve taken on a new tactic: putting patients at risk.

Ransomware, account takeovers, and distributed denial-of-service (DDOS) attacks that block providers from accessing electronic health records (EHR) systems, disable dispensers, and damage critical equipment are forcing hospitals to act quickly to protect patients, meaning they often have no choice but to give in to attackers’ demands. The same concept applies to implantable medical devices—they’ve found that the threat of harm is a powerful motivator.

Which medical implants are vulnerable to attacks?

Research — and real-world events — show that implantable pacemakers are vulnerable to cyberattacks. They were the first implantable medical device to receive a cybersecurity recall from the U.S. Food and Drug Administration (FDA). In 2017, the regulator warned that radio-frequency-enabled devices made by St. Jude Medical had a serious flaw.

Attackers could exploit the vulnerability by modifying the transmitter to send malicious programming commands. This would allow them to drain pacemaker batteries, access local storage, change patients’ heartbeats, or deliver inappropriate electric shocks.

Other intracardiac devices have also shown potentially deadly vulnerabilities. In 2023, the Cybersecurity and Infrastructure Security Agency warned of a major security flaw in a Medtronic device—issue CVE-2023-31222. It has a severity score of 9.8 out of 10, according to the Common Vulnerability Scoring System.

As with the St. Jude Medical pacemaker, attackers could exploit this vulnerability to steal, delete, or modify device data. More importantly, they could remotely manipulate, disrupt, or disable the device.

A neural implant is one of the implantable medical devices that is vulnerable to cyberattacks. In theory, bad actors could exploit serious vulnerabilities in their proprietary wireless protocols to initiate software attacks. While this dire situation is unlikely, there is a non-zero chance of it happening.

While blind attacks on implantable medical devices can drain batteries, steal data, or cause damage, targeted attacks leverage stolen pathophysiological data to inflict pain, modify the victim’s behavior, or cause significant psychological distress.

Although publicly known cyberattacks on implantable medical devices have so far targeted only insulin pumps, defibrillators, and pacemakers, the scope could expand if attackers find it easy or profitable to target them. Possible consequences include inaccurate readings, drug overdose, inappropriate shocks, discomfort, shortened device life, and death.

Common Vulnerabilities in Medical Device Implants

Implantable medical devices have traditionally suffered from similar security flaws. But since 2023, the FDA has mandated that they meet certain security guidelines—patches must be available periodically and in emergencies, and manufacturers must file a software bill of materials. In other words, previously common security weaknesses are less likely to occur.

That said, common vulnerabilities exist because they are easy to miss or hard to address, so some stick around. According to the U.S. Government Accountability Office, each medical device has an average of 6.2 vulnerabilities, indicating that long-standing issues remain a concern for most manufacturers and hospitals.

Unsafe default configurations

Medical device manufacturers publicly publish administrative passwords and hardware details to help providers and patients. If patients retain factory settings, third parties can easily access or damage their devices.

Unsecured communication

Wireless implants with Internet access use unsecure communication protocols to share health and device data. They typically connect to public, cellular, or hospital networks—sometimes all three. Attackers can intercept the exchange between the communication protocol developer—the system of rules that govern how information is sent over a network—and the medical device. This flaw often provides an entry point into hospital databases and web servers.

Unpatched software vulnerabilities

On average, every 100 lines of code (LOC) has a bug—and a typical medical implant has tens of thousands of LOC—so software and firmware vulnerabilities often go unnoticed. Even if someone discovers them, they pose a threat until they are patched.

Manual Radio Interference

Many manufacturers publish instructions that provide information about which radio frequencies their medical implants use to transmit data. Attackers can use this knowledge to intercept, manipulate, or disrupt information in transit.

What can healthcare providers do to protect their implants?

Healthcare providers can work with manufacturers and information technology (IT) teams to help secure implantable medical devices.

1. Multi-factor authentication

Vendors should mandate multi-factor authentication. That way, even if attackers successfully steal data or exploit insecure default configurations, their options are limited. They can’t access device memory or maliciously change settings if they can’t verify their identity.

2. Password updates

In addition to changing default login credentials, patients should be required to periodically update their passwords to defend against brute-force attacks — in which bots run a trial-and-error script until they guess the correct login credentials — and data breaches.

3. Penetration Testing

As of 2022, one in four healthcare organizations will spend 10% or less of their IT budget on cybersecurity. They should consider penetration testing if they do not have the flexibility to adopt additional security measures without significantly impacting profit.

During a penetration test, the IT team simulates a real cyberattack in a risk-free environment to identify vulnerabilities, making it easier to identify and remediate. Although it’s a time-consuming process, it’s relatively inexpensive—and often very effective.

4. Encryption of data in transit

Threat actors can use unencrypted data to bypass security, compromise patient privacy, and tamper with medical devices. Healthcare organizations should encrypt everything in transit to prevent man-in-the-middle attacks such as eavesdropping and session hijacking.

5. Automatic updates

According to the FBI, while medical equipment remains functional for up to three decades, software life cycles are much shorter because manufacturers stop providing support. They receive little or no support at the end of their life cycle.

Applying the patches would reduce the number of attack vectors by 75%—assuming they exist and the vendor has not discontinued support—which would significantly reduce the risk. IT should consider adopting older technology security if they have the resources to do so.

Hospitals need to strengthen cybersecurity to protect patients

Of course, the healthcare industry already takes security and privacy seriously, as neglect can result in regulatory fines, public backlash and loss of licenses. But modest cybersecurity spending and high rates of data breaches suggest it can do more to protect individuals. Providers, patients and manufacturers must work together to prevent cyberattacks.

---

About Zac Amos
Zac Amos is the Features Editor at ReHack and a contributor to Medical Design Briefs, CyberTalk, and The Journal of mHealth, where he has covered cybersecurity and AI in healthcare over the years. To see more of his work, follow him on Twitter or LinkedIn.