Cardiac Devices Pose Cybersecurity Challenges, Study Finds

A new study of the four biggest makers of pacemaker systems found thousands of software vulnerabilities, highlighting an industry-wide problem with software security updates.

The study, undertaken by cybersecurity firm WhiteScope, looked at pacemakers, implantable cardioverter defibrillators, pulse generators, and cardiac rhythm management devices, and found potential weak spots common to the devices — including unencrypted firmware, hardcoded credentials and radio-frequency activation. That’s in addition to vulnerabilities found in third-party software libraries.

Programmers from all four pacemaker manufacturers were “struggling with updates, and every vendor had thousands of outdated libraries,” said Billy Rios, founder of WhiteScope, and co-author of studies on medical device security that have been adopted into DHS literature and FDA pre- and post-market guidance.