Security Crisis of Cardiac Pacemakers Paves the Way for IoT Security Evolution in Cardiology

from The Health Care Blog at on July 29, 2019 at 02:02PM


While the healthcare IoT demand forecasts are more than generous, anticipating the market to hit $158.07B by 2022, there is still a certain delay in IoT adoption across the industry. Connected medical devices, especially those that are directly involved in patient care, are adopted cautiously due to potential security vulnerabilities and risks to patient safety.

One of the reasons behind the hesitant adoption of healthcare IoT in
cardiology is preexisting concerns about the security of implantable medical
devices, such as pacemakers.

The recent pacemaker crisis revealed the vulnerabilities in pacemaker
software across several major vendors. If exploited, software vulnerabilities would
allow hackers to take over the device and control it fully. The crisis led to device
recalls, certain features disabled, and even remote updates cut off completely to
avoid unacceptable health risks.

This series of events led to a cautious attitude toward the emerging cardiology IoT. Since we can’t be sure that all exploits and vulnerabilities are eliminated in less advanced systems, are we really ready to take a step forward to more elaborate healthcare software solutions at this point?

The fact of the matter
is, cardiology is already taking these steps. The new generation of pacemakers has
embedded sensors to monitor a patient’s blood temperature, sinus node rate,
breathing, and other vitals. This data is used to flexibly alter the heart
rate, slowing or speeding it depending on a patient’s current activity level. They
also inherited remote control from their predecessors. Practically, next-gen
pacemakers are IoT devices.

Accordingly, the
industry can either stigmatize the security concerns or choose to adopt a new perspective,
seeing the pacemaker crisis as an opportunity to create a solid platform for
unbiased adoption of upcoming connected cardiac devices.

The Pacemaker Crisis: Fast Facts

In 2017, FDA recalled approximately 465K pacemakers made by Abbott due to their potential security issues. In particular, the devices were identified as vulnerable to hacking, which could increase their activity or reduce battery life. Tampering with such insecure pacemakers would quicken the battery drainage and pose an indirect risk for the patients’ health and safety.

That same year, security researchers Billy Rios of Whitescope and Jonathan Butts of QED Secure Solutions uncovered vulnerabilities in one of Medtronic’s cardiac device programmers. They found vulnerabilities which would allow unauthorized users to get access to the programmer’s settings and tweak the functionality, taking control over the pacemakers. If any hackers were to exploit these vulnerabilities, they could disrupt the patient’s heart rhythms, hurting or even killing people.

The researchers
notified Medtronic about their findings, warning them about potential patient
safety threats. However, the vendor didn’t address the issue fully until 2018,
when Billy Rios and Jonathan Butts demonstrated their discovery during the
Black Hat security conference speech. The demonstration resonated with the
audience and also drew the attention of DHS, FDA, and NCCIC. The regulators
started collaborating with Medtronic to assist them in mitigating data security
and patient safety threats in their devices.

However, security assurance seems to be still far from completion, as the attention of manufacturers and government agencies spreads to other cardiac devices. The 2019 FDA safety communication lists a wide range of Medtronic’s products that are still considered vulnerable.

The list features implantable
cardioverter defibrillators (ICDs), cardiac resynchronization therapy
defibrillators (CRT-Ds), device programmers, and monitors. Due to the lack of
encryption, authentication, and authorization in the Conexus wireless telemetry
protocol used in these devices, unauthorized users may be able to access and
control them. The FDA also states that Medtronic is on the way to implementing additional
security updates to ensure both PHI and patient health safety.

Turning Gaps into Gains: The Action Plan

Following the
pacemaker crisis, cardiac IoT security assurance activities must be

First, the regulators,
providers and manufacturers must reach a consensus. All parties should make an
effort to come up with standardized practices for securing IoT development and
maintenance. In particular, they should define the obligatory protocols for
remote configuration, data transfer, and updates to ensure the following
security measures:


Identity validation
and role-based access allow securing cardiac devices against unauthorized
access. Only verified users, messages and services will be able to interact
with protected device.


To ensure integrity,
security testing should be held throughout the stages of development, upon
implementation, and after each major update. Moreover, the manufacturers can
issue specific certificates to validate data transactions, making sure they can’t
be intercepted or altered.


Encrypted data transfer
is also an essential measure for assuring the safety of cardiac devices. All
inbound and outbound data flows, such as monitored vitals and patients’ current
health status information, will be transmitted privately, making it much more
difficult for hackers to access and modify data.

While the older cardiac
devices may be too low-power, low-memory or low-capability to support all the basic
security measures, vendors and regulators can work together to get rid of the
vulnerabilities and exploits with certain workarounds.

For example, Medtronic
significantly limited the range for the remote control and configuration of
their pacemakers, programmers, and monitors. So while the vulnerabilities may
still be in place, unauthorized users can only access them while physically
near the active devices.


Fortunately, there
have been no malicious activities or attacks in which hackers tampered with
pacemakers, programmers, or other cardiac devices so far. However, the
possibility itself is critical enough to prioritize the security assurance of
connected cardiology devices.

The security crisis associated with cardiac devices might have hindered their adoption, yet it also pointed to a critical gap in policy-making and technology testing on the whole. While some measures are underway, fully bridging this gap will require a more coordinated effort from both regulators and manufacturers.

Inga Shugalo is a Healthcare Industry Analyst at Itransition, a custom software development company headquartered in Denver, Colorado. She focuses on Healthcare IT, highlighting the industry challenges and technology solutions that tackle them.