Incident: Implanted Medical Devices Vulnerable to Hacks by Security Researchers

Published Date: 2018-08-10

Postmortem Analysis
Timeline 1. The software failure incident with the implanted medical devices and security vulnerabilities happened 570 days before the researchers first reported it to the manufacturer [74400]. 2. The article was published on 2018-08-10. 3. Calculating the estimated timeline: - 570 days before 2018-08-10 would place the incident around February 2017. Therefore, the software failure incident with the implanted medical devices and security vulnerabilities likely happened around February 2017.
System 1. Implanted medical devices by Medtronic [74400]
Responsible Organization 1. Security researchers Jonathan Butts of QED Secure Solutions and Billy Kim Rios of Whitescope were responsible for causing the software failure incident by demonstrating the vulnerabilities in the implanted medical devices [74400].
Impacted Organization 1. Patients with implanted medical devices [74400]
Software Causes 1. Security vulnerabilities in implanted medical devices discovered by security researchers [74400]
Non-software Causes 1. Lack of timely response and action by the manufacturer, Medtronic, to address the reported security vulnerabilities [74400]. 2. Downplaying the severity of the weaknesses by Medtronic in their cybersecurity alerts and bulletins, which could lead to a misunderstanding of the risks by patients and doctors [74400]. 3. Gaps in the ecosystem related to manufacturers' varying abilities to respond to cybersecurity threats, as highlighted by FDA director Suzanne Schwartz [74400].
Impacts 1. The software failure incident led to the discovery of nine security vulnerabilities in implanted medical devices, including insulin pumps and pacemakers, which could potentially lead to injury or death if abused [74400]. 2. The security researchers were able to remotely disable an implantable insulin pump, preventing it from delivering medication, and take total control of a pacemaker system, demonstrating the severity of the vulnerabilities [74400]. 3. The manufacturer of the devices, Medtronic, decided not to fix the discovered flaws, leaving patients and doctors to take extra care with the networks the devices are connected to [74400]. 4. The incident highlighted a gap in the ecosystem regarding manufacturers' ability to respond to cybersecurity threats in medical devices, raising concerns about the protection of patients' lives from potential attacks [74400].
Preventions 1. Timely and proactive response from the manufacturer, Medtronic, to the reported vulnerabilities could have prevented the software failure incident [74400]. 2. Implementing robust cybersecurity measures in the design and development of the implanted medical devices could have prevented the vulnerabilities exploited by the security researchers [74400]. 3. Conducting thorough security assessments and penetration testing of the devices before market release could have identified and addressed the security weaknesses, preventing potential exploitation [74400]. 4. Enhancing communication and collaboration between security researchers, manufacturers, regulatory bodies like the FDA, and healthcare providers could lead to a more coordinated approach in addressing cybersecurity risks in medical devices, potentially preventing such incidents in the future [74400].
Fixes 1. Medtronic could release software patches or updates to fix the security vulnerabilities in the implanted medical devices [74400].
References 1. Jonathan Butts of QED Secure Solutions and Billy Kim Rios of Whitescope [74400] 2. Suzanne Schwartz, FDA director responsible for the agency’s cybersecurity partnerships [74400] 3. Medtronic spokesperson [74400]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization (a) The software failure incident related to implanted medical devices with security vulnerabilities has happened again within the same organization, Medtronic. The article mentions that the security researchers, Jonathan Butts and Billy Kim Rios, criticized Medtronic for its slow response, attempts to downplay the weaknesses, and not fixing the flaws discovered despite being informed about them 570 days ago [74400]. Medtronic's response to the vulnerabilities was to recommend patients and doctors take extra care with the networks they connect the devices to, rather than fixing the vulnerabilities themselves.
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase is evident in the article. The security vulnerabilities in the implanted medical devices were discovered by security researchers Jonathan Butts and Billy Kim Rios. They found nine security vulnerabilities in the devices, including implantable insulin pumps and pacemakers. Despite reporting these vulnerabilities to the manufacturer, Medtronic, the company did not address the issues promptly. The researchers criticized Medtronic for its slow response, downplaying the weaknesses, and failing to fully explain the risks associated with the vulnerabilities [74400]. (b) The software failure incident related to the operation phase is also highlighted in the article. During a live session at the Black Hat information security conference, the security researchers remotely disabled an implantable insulin pump and took total control of a pacemaker system. They demonstrated how they could deliver malware directly to the computers implanted in a patient's body, potentially causing harm or even death. The researchers warned individuals with implanted medical devices to be cautious, indicating the risks associated with the vulnerabilities in the devices [74400].
Boundary (Internal/External) within_system, outside_system (a) within_system: The software failure incident in this case is primarily within the system. The vulnerabilities and hacks demonstrated by the security researchers were related to the implanted medical devices themselves, such as insulin pumps and pacemakers. The researchers were able to remotely disable the insulin pump and take total control of the pacemaker system by hacking the system that a doctor would use to program the pacemaker [74400]. The flaws and weaknesses were inherent to the design and software of the devices, leading to the potential risks identified by the researchers. (b) outside_system: The software failure incident also involves factors originating from outside the system. The researchers criticized the manufacturer, Medtronic, for its slow response and attempts to downplay the weaknesses. They reported the vulnerabilities to Medtronic over 500 days ago, but the company did not take adequate action. This external factor of the manufacturer's response contributed to the ongoing risks associated with the vulnerabilities in the implanted medical devices [74400].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in this case is primarily due to non-human actions, specifically security vulnerabilities in the implanted medical devices. The vulnerabilities were discovered by security researchers who were able to remotely disable an insulin pump and take control of a pacemaker system [74400]. These vulnerabilities were not introduced by human actions but were inherent weaknesses in the devices themselves. (b) However, human actions also played a role in this incident. The security researchers, Jonathan Butts and Billy Kim Rios, demonstrated the hacks in a live session at the Black Hat information security conference. They reported the vulnerabilities to the manufacturer, Medtronic, but criticized the company for its slow response and attempts to downplay the weaknesses. The researchers eventually went public with their findings at the conference after Medtronic's inadequate response [74400].
Dimension (Hardware/Software) hardware, software (a) The software failure incident in the articles is primarily related to hardware vulnerabilities in implanted medical devices. The security researchers demonstrated how they were able to remotely disable an implantable insulin pump and take total control of a pacemaker system, which are hardware devices implanted in patients' bodies [74400]. (b) The software failure incident also involves software vulnerabilities as the security researchers hacked into the system that a doctor would use to program a patient's pacemaker. They were able to rewrite the system and potentially program harmful instructions to any pacemaker connected to it. This aspect of the incident highlights software vulnerabilities in the devices [74400].
Objective (Malicious/Non-malicious) malicious, non-malicious (a) The software failure incident in this case is malicious. The security researchers demonstrated how they could remotely disable an implantable insulin pump and take total control of a pacemaker system, allowing them to deliver malware directly to the computers implanted in a patient's body. They highlighted the potential harm that could be caused by these vulnerabilities, including the ability to issue harmful instructions to the pacemaker or deny necessary treatment, which could lead to injury or death [74400]. The researchers criticized the manufacturer, Medtronic, for its slow response and attempts to downplay the weaknesses, ultimately leading them to go public with their findings at the conference. (b) The software failure incident is also non-malicious in the sense that the vulnerabilities were not intentionally introduced by the manufacturer. Medtronic, the manufacturer of the devices, was criticized for its response to the security vulnerabilities. The company stated that it will not fix the flaws discovered and instead recommended patients and doctors take extra care with the networks they connect the devices to. Medtronic categorized the flaws as posing a "low (acceptable)" risk to patient safety, indicating that the failures were not intentionally introduced but rather a result of oversight or lack of proactive measures to address the vulnerabilities [74400].
Intent (Poor/Accidental Decisions) poor_decisions (a) The intent of the software failure incident: The software failure incident related to the implanted medical devices with security vulnerabilities can be attributed to poor decisions made by the manufacturer, Medtronic. Despite being informed about the vulnerabilities by security researchers 570 days ago, Medtronic did not take adequate action to address the issues. The researchers criticized Medtronic for its slow response, attempts to downplay the weaknesses, and failure to fully explain the risks associated with the vulnerabilities [74400]. This indicates that the software failure incident was primarily a result of poor decisions made by the manufacturer.
Capability (Incompetence/Accidental) development_incompetence (a) The software failure incident related to development incompetence is evident in the case of the implanted medical devices with security vulnerabilities. The security researchers criticized Medtronic, the manufacturer of the devices, for its slow response and attempts to downplay the weaknesses. They reported the vulnerabilities to the manufacturer over 500 days ago and even demonstrated proof-of-concept attacks to highlight the potential harm that could be done [74400]. (b) The software failure incident related to accidental factors is seen in the vulnerabilities discovered in the implanted medical devices. The weaknesses were not intentionally created but were accidental flaws in the design and implementation of the devices. Despite the potential risks of injury or death if the vulnerabilities were abused, the manufacturer, Medtronic, decided not to fix the flaws but instead recommended extra care be taken with the networks the devices are connected to [74400].
Duration permanent The software failure incident related to the implanted medical devices with security vulnerabilities discovered by the security researchers can be considered as a permanent failure. This is evident from the fact that the manufacturer, Medtronic, has decided not to fix the flaws despite being aware of the potential risks and the ability of hackers to take control of the devices [74400]. The researchers had reported the vulnerabilities to Medtronic over 570 days ago, and even after being informed about how someone could take control of the devices, the company chose not to address the issues promptly. This decision by Medtronic to not fix the vulnerabilities indicates a permanent failure in addressing the security weaknesses in the implanted medical devices.
Behaviour crash, omission, value, other (a) crash: The software failure incident in the articles can be categorized as a crash as the security researchers were able to remotely disable an implantable insulin pump and take total control of a pacemaker system, preventing the devices from delivering the necessary medication and potentially causing harm or death to the patients [74400]. (b) omission: The incident can also be classified as an omission as the vulnerabilities in the implanted medical devices led to the omission of their intended functions, such as delivering medication or providing necessary treatment to patients [74400]. (c) timing: There is no specific mention of the software failure incident being related to timing issues in the articles. (d) value: The incident can be associated with a value failure as the security researchers were able to take control of the pacemaker system and potentially program it with harmful instructions, leading to incorrect functioning of the device and posing risks to patient safety [74400]. (e) byzantine: The software failure incident does not align with a byzantine failure, which involves inconsistent responses and interactions, as the focus here is on the vulnerabilities and control demonstrated by the security researchers over the medical devices. (f) other: The behavior of the software failure incident can be described as a security vulnerability exploit, where the weaknesses in the devices allowed external parties to gain unauthorized control and manipulate the functioning of critical medical equipment, posing significant risks to patient safety [74400].

IoT System Layer

Layer Option Rationale
Perception sensor, actuator, processing_unit, network_communication, embedded_software (a) sensor: The software failure incident mentioned in the article is related to implanted medical devices, such as insulin pumps and pacemakers. These devices rely on sensors to monitor and regulate bodily functions. The security vulnerabilities discovered by the researchers allowed them to remotely disable an implantable insulin pump and take control of a pacemaker system, indicating that the failure could be related to contributing factors introduced by sensor error [74400]. (b) actuator: The incident involved the researchers taking total control of a pacemaker system, which includes actuators responsible for delivering shocks or other treatments to the patient's body. By hacking the system that a doctor would use to program a patient's pacemaker, the researchers were able to potentially issue harmful instructions, indicating that the failure could be related to contributing factors introduced by actuator error [74400]. (c) processing_unit: The researchers demonstrated the hacks by taking control of the pacemaker system, which involves the processing unit responsible for executing commands and managing the device's functions. By rewriting the system and potentially reprogramming the pacemaker with harmful instructions, the failure could be related to contributing factors introduced by processing error [74400]. (d) network_communication: The security vulnerabilities discovered in the implanted medical devices allowed the researchers to remotely disable an insulin pump and take control of a pacemaker system. These actions involved communication between the devices and external systems, indicating that the failure could be related to contributing factors introduced by network communication error [74400]. (e) embedded_software: The software failure incident involved vulnerabilities in the implanted medical devices' software that allowed the researchers to remotely disable an insulin pump and take control of a pacemaker system. The hacks demonstrated by the researchers highlight weaknesses in the embedded software of these devices, indicating that the failure could be related to contributing factors introduced by embedded software error [74400].
Communication connectivity_level The software failure incident described in the article [74400] is related to the connectivity level of the cyber physical system. The security vulnerabilities discovered in the implanted medical devices, such as insulin pumps and pacemakers, were due to weaknesses in the network and communication layers of the devices. The security researchers were able to remotely disable an insulin pump and take total control of a pacemaker system by exploiting vulnerabilities in the systems that doctors use to program these devices. The hacks demonstrated by the researchers involved manipulating the network and communication protocols to deliver malware and harmful instructions to the implanted devices, highlighting the risks associated with the connectivity of these medical devices to external networks.
Application TRUE The software failure incident described in the article [74400] is related to the application layer of the cyber physical system. The security vulnerabilities discovered in the implanted medical devices, such as insulin pumps and pacemakers, were exploited by security researchers through hacking techniques that involved taking control of the devices' software systems. The researchers remotely disabled an implantable insulin pump and took total control of a pacemaker system by hacking the system that a doctor would use to program a patient's pacemaker. These actions demonstrate that the failure was indeed related to the application layer of the cyber physical system, as it involved manipulating the software and introducing harmful instructions into the devices' programming.

Other Details

Category Option Rationale
Consequence death, harm, property, non-human, theoretical_consequence (a) death: The software failure incident involving implanted medical devices with security vulnerabilities could potentially lead to injury or death if abused. The security researchers demonstrated the ability to remotely disable an implantable insulin pump, preventing it from delivering medication, and take total control of a pacemaker system, allowing them to deliver malware directly to the computers implanted in a patient's body [74400].
Domain health (a) The failed system in this incident is related to the health industry. The vulnerabilities discovered in implanted medical devices, specifically insulin pumps and pacemakers, pose serious risks to patients' safety and well-being [74400]. The security researchers demonstrated how they could remotely disable an insulin pump and take total control of a pacemaker system, highlighting the potential harm that could result from these vulnerabilities. The manufacturer of the devices, Medtronic, was criticized for its slow response and downplaying of the weaknesses, ultimately deciding not to fix the flaws discovered [74400]. The FDA director responsible for cybersecurity partnerships emphasized the importance of protecting these devices from attacks to ensure patients can continue to live good quality lives [74400].

Sources

Back to List