Hackers Can Exploit Medical Device to Access Patient Information, Feds Advise

The Zoom Latitude programmer, used by doctors to communicate with patients' pacemakers and defibrillators, leaves personal data vulnerable.

by Joe Carlson, Star Tribune / October 26, 2017

(TNS) -- The Department of Homeland Security said a medical device from Boston Scientific called the Zoom Latitude programmer, used by doctors to communicate with implanted pacemakers and defibrillators, can be exploited by computer hackers to give out patients' personal health information.

The computer-security vulnerability in the Zoom Latitude programmer is apparently not related to numerous reports of physical malfunctions of the device over the years, including reports of some older units malfunctioning and giving off burning odors, as described in public reports in the Food and Drug Administration's MAUDE database.

The recent cybersecurity advisory from Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) said doctors should keep their Zoom Latitude Programmer-Recorder-Monitor (PRM) Model 3120 machines in locked locations and make sure to delete all personal health information before removing the devices from the facility where they are stored. The device is made by a Boston Scientific division headquartered in Minnesota.

"We rigorously evaluate the security of our rhythm management devices through a comprehensive security risk assessment process, aligned with the FDA's guidance," a Boston Scientific spokeswoman said via e-mail Tuesday. "The ICS-CERT advisory highlights the importance of physical security in mitigating the risk of unauthorized users accessing patient data stored on a medical device — much like a laptop left in an open space is at risk of a security breach."

The cybersecurity advisory said Boston Scientific does not recommend that doctors stop using the devices, but just make sure they are properly controlled and that access to them is inventoried. The devices aren't designed to be networked, but even a low-skilled attacker with physical access to the machines could exploit the vulnerability and find old patient data, according to the Homeland Security advisory.

There are two confirmed computer flaws in the device, according to the advisory. The affected machines do not encrypt personal health information "at rest" on the devices, and when patient data is transferred to removable media, the programmer uses a cryptographic key that is hard-coded inside the machine. Both vulnerabilities could allow access to past patients' protected health information.

Security researchers Jonathan Butts and Billy Rios of the cyber-consulting firm WhiteScope discovered the flaws, which are not believed to have been exploited by malicious hackers, the advisory said.

"The findings of the advisory do not impact patient safety," the Boston Scientific statement said.

FDA's MAUDE database of medical device malfunctions and adverse event reports includes more than 200 reports about the widely used Boston Scientific device programmer since 2013 covering various issues, only a handful of which were related to patient injuries.

One of the most common complaints reported is that components in the devices can overheat and stop working. In one report last month, a Boston Scientific official confirmed that an "electrical overstress" had occurred in a unit that was sent back to the plant following a "burning smell" emitting from the machine.

©2017 the Star Tribune (Minneapolis) Distributed by Tribune Content Agency, LLC.