[BreachExchange] Medical device company criticized for lax response to hacking vulnerability

[Destry Winant]

http://www.securityinfowatch.com/news/12401751/medical-device-company-criticized-for-lax-response-to-hacking-vulnerability

Medtronic is acknowledging that it took too long to analyze a
cybersecurity problem that hackers say could allow a malicious
attacker to compromise the system used to update the software on
defibrillators implanted in patients' chests.

The Minnesota-run medical device maker said the vulnerabilities in its
CareLink 2090 programmers for implantable defibrillators worldwide
don't create a safety risk for patients, but the company has stepped
up internal integrity checks on its network and amplified its advice
to keep the devices in a secure environment without access to the
internet.

The Homeland Security Department published a brief security advisory
about the issue last week. Billy Rios, the founder of the firm
WhiteScope LLC that discovered the flaws, says it took Medtronic over
a year to handle flaws that should have taken weeks to address.

The WhiteScope report says cybersecurity vulnerabilities in systems
like those in Medtronic's CareLink 2090 defibrillator programmer could
allow a malicious hacker to remotely tamper with the programmer or the
implanted device.

Rios says he was so dismayed by Medtronic's laggard pace in addressing
the findings of his January 2017 report that he's likely to bring
future vulnerability reports directly to regulators like the Food and
Drug Administration rather than alerting the company first, as is
common practice in the industry.

"This was probably the most frustrating disclosure of a cybersecurity
vulnerability of any medical device I've ever encountered," Rios said.
"They have a responsibility to figure this stuff out and not try to
essentially slow-play researchers to try to make them go away. That's
why I'm so frustrated here. We've worked with all the major
manufacturers in the pacemaker ecosystem. ... None of them have
treated us this way."

Two independent security researchers who reviewed the WhiteScope
report confirmed that it appeared to use sound methodology to reach
its conclusions. The researchers said the root of the vulnerability is
that the CareLink 2090 programmers appear to use commercially
available software, including an embedded version of the Microsoft XP
operating system that hasn't been supported by Microsoft since 2016.

The report says WhiteScope researchers were able to use known
vulnerabilities in the underlying software to exploit weaknesses in a
used CareLink 2090 unit purchased online. The WhiteScope hackers got
the system to cough up several network and device passwords, which
together could be used to compromise Medtronic's network for pushing
software updates to devices, the report says.

Medtronic issued a statement on Monday acknowledging Rios' criticism
that it look "longer than all of us expected" to confirm the findings
and issue a response. Medtronic defended itself by saying that
employees determined "early in the process" that the vulnerability
didn't affect patient safety.

"It took significant time and resources to thoroughly assess the
matter and determine what risks, if any, existed," Medtronic
spokeswoman Erika Winkels said via e-mail. Medtronic "will implement
some new procedures internally to help streamline and improve our
efficiency and share what we learn."

The statement added that the company intends to "be quicker to
coordinate between ICS-CERT, FDA and the researcher, and more
efficient with any public disclosure."

ICS-CERT is the Homeland Security Department's Industrial Control
Systems Cyber Emergency Response Team, which monitors cyber
vulnerabilities in critical U.S. infrastructure, including medical
technology; FDA is the U.S. Food and Drug Administration, which
strongly encourages device companies to consider a product's total
life cycle, including future security needs, when designing new
medical devices.

While Rios and Medtronic agree that vulnerabilities were present in
the CareLink 2090, they disagree on whether the issue could affect
patients directly.

The device at the center of the issue is a programmer that is used in
the hospital or doctor's office to communicate with an implanted heart
defibrillator to record diagnostics and program therapy settings.

Fourteen months ago, WhiteScope researchers provided Medtronic with a
22-page report purporting to document cybersecurity flaws that would
allow a malicious hacker to change the therapy provided by the
machine, according to a copy of the report.

Although the software problems in the CareLink device offered keys to
hack the Medtronic network, the hackers stopped short of doing so.
Rather, they used the vulnerabilities to hack a replica of the
Medtronic network, then told Medtronic what they found.

Rios said Medtronic took more than a year to address the issue, but
standard industry protocol usually provides 45 days to mitigate a
problem before the issue is publicized.

In the Homeland Security alert published last week, Medtronic
recommended doctors maintain "good physical control" over their
CareLink devices, only connect to "secure" networks, and update system
software when Medtronic updates become available. Separately,
Medtronic developed "server-side" security changes and new integrity
updates to monitor for system hacking, but no new software update is
forthcoming for the issues outlined in Rios' report.

Other experts in the med-tech cybersecurity field said there are sound
reasons why it can be difficult to address problems like those pointed
out by WhiteScope.

Todd Carpenter, chief engineer at Minneapolis cybersecurity firm
Adventium Labs, said it can be risky for medical technology makers to
rush fixes onto the market, especially when there's no allegation of a
patient being harmed.

"To a company the size of Medtronic -- they are holding the safety of
tens of thousands of people in their hands. You don't make arbitrary
changes, even when they are well-intentioned," Carpenter said. "If you
mess something up, you will cause harm."