Alerts: Some Cardiac Programmers Put PHI at RiskDHS, Medtronic Issue Advisories About Risks Posed by Lack of Encryption
The Department of Homeland Security and medical device maker Medtronic have issued alerts about the lack of encryption on certain cardiac programming devices that could potentially allow inappropriate access to patient information contained on the programmer.
Hospitals and clinics use the affected programmers to program and manage Medtronic cardiac implantable electronic devices, such as pacemakers.
Advisories issued on Dec. 13 by DHS' Industrial Control System Cyber Emergency Response Team, and Medtronic note that if exploited, the missing encryption vulnerability may allow an attacker with physical access to the affected programmer to access information stored on the device.
Medtronic notes that patient information is intended to be stored on the programmers for short periods of time before being transferred to other medical systems or printed to paper reports.
"If the PHI/PII settings are not properly managed or the programmer is not properly retired, patient PHI/PII may remain on a programmer longer than necessary," Medtronic notes. "The specific types of PHI/PII stored by a programmer includes device serial number and device configuration settings. Other types of PHI/PII potentially stored on a programmer is determined by the personnel using the system."
The Medtronic CareLink and Encore programmers containing the encryption vulnerability include all versions of the CareLink 9790 and CareLink 2090 programmers and the 29901 Encore programmer.
Two of those programmer lines - the CareLink Encore programmers, models 2090 and 29901 - were also the subject of a voluntary recall announced in October the Food and Drug Administration due to other cybersecurity vulnerabilities identified by the same security researchers - Billy Rios and Jonathan Butts of WhiteScope LLC - who found the latest programmer issues involving missing encryption (see: Medtronic Cardiac Devices Recalled Due to Cyber Concerns.)
That earlier recall involved Medtronic blocking the affected programmers from accessing the company's network via the internet until the company issues security fixes so that the programmers cannot be exploited by unauthorized users.
Those vulnerabilities, if exploited, could allow unauthorized access to internet-connected devices for attackers "to alter the programmer to change the programmer's functionality or the implanted cardiac device during the device implantation procedure or during follow-up visits," according to the FDA.
The encryption-related vulnerabilities in the latest warnings cannot be remotely exploited. To gain access to PHI or PII by leveraging the vulnerability would require physical access to a programmer, Medtronic notes.
Medtronic says the CareLink 9790 programmer was placed into "end-of-life status" in 2005 and is no longer supported by the company. "If a customer has a CareLink 9790 programmer, they should return the programmer to Medtronic," the company says in its alert.
"As long as there's a secondary market for medical devices, we'll continue to see devices haunting health systems after they've reached end of life."
—Ben Ransford, Virta Labs
As for the CareLink 2090 and 29901 Encore programmers, those devices store PHI/PII as part of their normal operating procedures "and should be handled, managed and secured in a manner consistent with the applicable laws for patient data privacy," the company says.
"The management and deletion of PHI/PII information on a programmer is under the control of the programmer user, in accordance with product labeling. PHI/PII should be retained on these programmers for the least amount of time necessary for its intended use."
Customers should refer to the programmer reference manual for instructions on setting the PHI/PII retention limit and deleting all PHI/PII prior to returning a retired programmer to Medtronic, the company says.
Even if the affected programmers are no longer being used for patient care, these devices can still pose a security and privacy risk due to the information they contain.
"At least in the past, these programming units were sometimes loaned to hospitals," notes Ben Ransford, president of healthcare cybersecurity firm Virta Labs.
"That's a special situation that doesn't apply to all medical devices. Tracking equipment that has been loaned to customers is a different matter and should make end-of-life recovery easier than if devices were sold to customers as capital expenses. I'm not sure why Medtronic would have to advise hospitals to stop using programmers that were on loan," he says.
Regardless of whether they're loaned or sold when new, Ransford says, "I've seen programmers like the affected ones bought and sold as used equipment on eBay. As long as there's a secondary market for medical devices, we'll continue to see devices haunting health systems after they've reached end of life."
Medtronic in its advisory notes that it has "worked with healthcare organizations who have experienced the loss of 9790 and 2090 programmers to identify 38 patients whose data may have been exposed due to these vulnerabilities." A Medtronic spokesman tells Information Security Media Group that data for 34 of the 38 potentially impacted patients was discovered on the 9790 programmers by the security researchers, which spurred Medtronic's assessment of the newer programmers included in the advisory.
Medtronic does not plan to add encryption to the programmers. "Per the advisory we recommend good physical control of the programmers and storing PHI/PII for the least amount of time necessary for its intended use," the spokesman says.
Ransford notes that security issues involving legacy medical devices are complicated by the fact that some healthcare entities continue to use the devices even after manufacturers stop actively supporting the products.
"You might imagine regulators like the Department of Health and Human Services penalizing hospitals for keeping devices in operation past end of life, but that would unfairly affect smaller or poorer hospitals that might not be able to provide care otherwise," he notes.
But continuing to use outdated products can potentially pose risks to patient safety as well as data security, he contends.
"The incentive structure is the real challenge. If you're a hospital operating one of these devices, you're weighing an unknown risk of patient harm or downtime against the certainty of having a pay a lot for a replacement unit," he says. "Also, if a device is doing the job you bought it to do, you're unlikely to want to replace it. That's why hospitals keep medical devices past end-of-life notifications."
Ransford adds: "The best we can do is to make sure software can be upgraded safely through the support period, and that replacement devices are within reach after end of life. I hope manufacturers and their customers eventually land on a better incentive structure."