Skip to main content

More Medical Devices Under Attack, Some PaceMakers May Be Vulnerable

By November 7, 2016March 2nd, 2023Blog, Cybersecurity

morexmedicalThe Internet of Things has been getting a lot of bad press in recent weeks. Not long ago, an army of enslaved smart devices was used to bring much of the internet in the United States to its knees for several hours. A few weeks before that, an exploit in a “smart” insulin pump was demonstrated that could potentially allow a hacker to kill the patient relying on it by ordering an insulin injection when none was needed.

Now, there’s a new chapter in the ongoing parade of bad news for internet-connected devices. This time, it revolves around a series of cardiac implants and monitoring devices that are monitored by the Patient Care Network.

Researchers recently released a series of Youtube videos outlining in details the means by which hackers could take control of the monitoring equipment and either turn it off, or deliver a defibrillation charge to a patient who didn’t need one, essentially shocking their heart at-will. Worse, the hacker could opt to leave the defibrillator running, essentially giving the patient a continuous, ongoing shock until death occurred.

St. Jude Medical Center, which relies heavily on the Merlin service, flatly denies that the attack is possible, and insists that it is a publicity stunt designed to damage the company’s stock price. The evidence presented by the video, however, is both clear and compelling.
An investigation is currently underway, and lawsuits have been filed, so it will likely be some time before the full truth comes out, but one thing we know for certain.

So-called “smart” devices are notoriously bad when it comes to digital security. We’ve seen too many high profile cases in which significant damage has been done for no other reason than the fact that equipment manufacturers can’t be bothered to put reasonable security measures in place on the equipment they sell. This isn’t the first time a medical device has been identified as containing critical security flaws.

If you have been issued a cardiac monitoring device that relies on the monitoring service, beware. There is not, as of yet, a fix of any kind that will prevent this hack.

Chris Forte

Chris Forte, President and CEO of Olmec Systems, has been in the MSP workspace for the past 25 years. Chris earned his Master’s Degree from West Virginia University, graduating Magna Cum Laude. He was a past member of the Entrepreneurs’ Organization, a current member of the New Jersey Power Partners and Executive Association of New Jersey, where he has previously served on its board of directors. In his spare time, Chris enjoys traveling with his family. He also admits to being a struggling golfer and avid watcher of college football and basketball. He currently lives in Boonton Township, NJ with his wife, two daughters, son, and black lab Luna.