While digitalization saves lives, it may also threaten them. The uptick in data breaches and cyberattacks targeting the healthcare industry correlates to the number of internet-connected and insecure technology facilities are adopting. Implantable medical devices are one of the latest victims of this trend — and their vulnerabilities could be deadly.
Why are Hackers Targeting Implantable Medical Devices?
According to a report from the U.S. Health Sector Cybersecurity Coordination Center and the Office of Information Security, the frequency of healthcare data breaches has trended upward since 2012. That number more than doubled from 2018 to 2021, marking an unfortunate milestone — and indicating the issue will continue worsening.
It’s no secret the healthcare industry amasses a fortune of personally identifiable information (PII) and health data. In fact, while medical details sell for up to $250 per record, the next highest target — payment card numbers — only goes for $6 per sale. Value is one of this trend’s leading drivers, as threat actors can use these files to steal individuals’ identities, make money on the dark web, or conduct reconnaissance for profitable cyberattacks.
Despite longstanding privacy and security regulations, hackers are often successful. Healthcare data breaches exposed 385 million patient records from 2010 to 2022, compromising millions of individuals’ identities and health histories. Information theft is profitable, so they keep coming back. However, they’ve recently gravitated toward a new tactic — putting patients in danger.
Ransomware, account takeover and distributed denial-of-service (DDOS) attacks that lock providers out of electronic health record (EHR) systems, shut down dosing machines and brick critical equipment force hospitals to act fast to protect patients, meaning they often have no choice but to give in to the attackers’ demands. The same concept applies to implantable medical devices — they’ve found the threat of harm is a great motivator.
Which Medical Device Implants Are Vulnerable to Attacks?
Research — and real-world events — demonstrate implantable pacemakers are vulnerable to cyberattacks. They were the first implantable medical device to receive a cybersecurity-related recall from the U.S. Food and Drug Administration (FDA). In 2017, the regulator warned the radio-frequency-enabled devices manufactured by St. Jude Medical had a critical flaw.
Attackers could exploit the vulnerability by modifying the transmitter to send malicious programming commands. This would allow them to drain the pacemakers’ batteries, access local memory storage, change patients’ heartbeats or administer inappropriate electric shocks.
Other intracardiac devices have also displayed potentially lethal security flaws. In 2023, the Cybersecurity and Infrastructure Security Agency warned of a severe vulnerability in a device from a company called Medtronic — issue CVE-2023-31222. Its severity score is 9.8 out of 10, according to the Common Vulnerability Scoring System.
Similarly to the issue with the St. Jude Medical pacemaker, attackers could exploit this vulnerability to steal, delete or modify device data. More importantly, they could remotely tamper with, disrupt or shut down the device.
The neural implant is one implantable medical device vulnerable to cyberattacks. In theory, bad actors can exploit severe vulnerabilities in their proprietary wireless communication protocols to initiate software attacks. While this terrible situation is unlikely, it has a non-zero chance of occurring.
While blind attacks on neural implantable medical devices could drain batteries, steal data or induce lesions, targeted attacks leverage stolen pathophysiological data to inflict pain, modify the victim’s behavior or cause substantial psychological distress.
Although publicly known cyberattacks targeting implantable medical devices have only affected insulin pumps, cardiac defibrillators and pacemakers so far, the scope may broaden if attackers find targeting them easy or profitable. The likely consequences are inaccurate readings, drug overdoses, inappropriate shocks, discomfort, reduced device life span and fatalities.
Common Vulnerabilities in Medical Device Implants
Typically, implantable medical devices have suffered from similar vulnerabilities. However, as of 2023, the FDA orders they meet specific security guidelines — patches must be available periodically and in emergencies, and manufacturers must submit a software bill of materials. In other words, previously common security weaknesses are less likely.
That said, typical vulnerabilities exist because they’re easy to overlook or challenging to address, so some remain. According to the U.S. Government Accountability Office, each medical device has an average of 6.2 vulnerabilities, indicating that longstanding pain points remain issues for most manufacturers and hospitals.
Insecure Default Configurations
Medical device manufacturers publish administrative passwords and hardware details publicly to assist providers and patients. If patients keep the factory settings, bad actors can easily access or damage their devices.
Unsecured Communications
Internet-facing wireless implantables use unsecured communication protocols to share health and device data. They typically connect to public, cellular or internal hospital networks — sometimes all three. Attackers can intercept exchanges between the communication protocol programmer — the system of rules governing how information transmits over a network — and the medical device. This fault often provides an entry point into hospitals’ databases and web servers.
Unpatched Software Vulnerabilities
On average, every 100 lines of code (LOC) has one bug — and a typical medical device implant has tens of thousands of LOCs — so software and firmware vulnerabilities often go unnoticed. Even if someone detects them, they pose a risk as long as they go unpatched.
Manual Radio Interference
Many manufacturers publish manuals containing information on which radio frequencies their medical device implants use to transmit data. Attackers can use this knowledge to intercept, manipulate or disrupt information in transit.
What Can HealthCare Providers Do to Secure Implants?
Healthcare providers can work with manufacturers and information technology (IT) teams to help secure implanted medical devices.
1. Multi-Factor Authentication
Providers should mandate multi-factor authentication. This way, even if attackers successfully steal data or leverage insecure default configurations, their options are limited. They can’t access device memory or maliciously alter settings if they can’t validate their identity.
2. Password Updates
In addition to changing default credentials, patients should be required to update their passwords periodically to defend against brute-force attacks — where bots run a trial-and-error script until they successfully guess the correct login details — and data breaches.
3. Penetration Testing
As of 2022, one in four healthcare organizations spend 10% or less of their IT budget on cybersecurity. They should consider penetration testing if they lack the flexibility to adopt additional security measures without substantially impacting profit.
During a penetration test, the IT team simulates a real-world cyberattack in a risk-free environment to identify security gaps, making identifying and addressing vulnerabilities easier. While it’s a time-intensive process, it’s relatively affordable — and often highly effective.
4. Data Encryption in Transit
Threat actors can use unencrypted data to bypass security, compromise patient privacy and tamper with medical devices. Healthcare institutions should encrypt everything in transit to prevent man-in-the-middle attacks like eavesdropping and session hijacking.
5. Automatic Updates
According to the FBI, while medical device hardware remains functional for up to three decades, software lifecycles are much shorter because manufacturers stop providing support. During the end-of-life stage, they receive few to none.
Applying patches would reduce the number of attack vectors by 75% — assuming they exist and the manufacturer hasn’t stopped providing support — which would substantially lower risk. The IT team should consider taking on legacy technology security if they have the means.
Hospitals Must Strengthen Cybersecurity to Protect Patients
Of course, the healthcare industry already takes security and privacy seriously because negligence could result in regulatory fines, public backlash and lost licenses. However, its meager cybersecurity spending and high data breach rate indicate it can do more to protect individuals. Providers, patients and manufacturers must work together to prevent cyberattacks.
About Zac Amos
Zac Amos is the Features Editor at ReHack and a contributor at Medical Design Briefs, CyberTalk, and The Journal of mHealth, where he has spent years covering cybersecurity and AI in healthcare. For more of his work, follow him on Twitter or LinkedIn.