Question

Heart Device Maker Says Hack Affected 1 Million Patients

  • 14 March 2023
  • 8 replies
  • 70 views

  • Anonymous
  • 0 replies

https://www.govinfosecurity.com/heart-device-maker-says-hack-affected-1-million-patients-a-21425

It looks like it was personal information that was stolen, but that’s the sort of information that would be helpful in hacking into actual connected devices, which already exist and have had security issues: https://www.ahajournals.org/doi/10.1161/CIRCULATIONAHA.118.037331

My CPAP has a device that communicated with the insurance company to ensure that I was using it a minimum number of hours a night.  Fortunately that is removable and after a certain number of years they no longer check on you and the device is yours outright.  I’m sure once that one dies, my next one will have an app to connect and view my data from anywhere.  Not sure if I’ll be enabling that feature.  Anyone else have any connected medical devices?


8 replies

Userlevel 6
Badge +2

https://www.govinfosecurity.com/heart-device-maker-says-hack-affected-1-million-patients-a-21425

It looks like it was personal information that was stolen, but that’s the sort of information that would be helpful in hacking into actual connected devices, which already exist and have had security issues: https://www.ahajournals.org/doi/10.1161/CIRCULATIONAHA.118.037331

My CPAP has a device that communicated with the insurance company to ensure that I was using it a minimum number of hours a night.  Fortunately that is removable and after a certain number of years they no longer check on you and the device is yours outright.  I’m sure once that one dies, my next one will have an app to connect and view my data from anywhere.  Not sure if I’ll be enabling that feature.  Anyone else have any connected medical devices?

No, I have not yet connected any medical devices.
In general, i understand, wearable devices that monitor heart rate can be susceptible to interference from various sources, such as motion or ambient light, which can affect the accuracy of the readings. 
Additionally, there is always a risk of hacking or data breaches when using any type of electronic device that stores personal health information.

Similarly, before a couple of years,
The FDA has warned Abbott in a letter,the manufacturer of medical devices must submit a plan to remedy previously discovered cybersecurity flaws and other potential safety risks in some of St. Jude Medical's cardiac equipment.

https://healthitsecurity.com/news/fda-has-medical-device-cybersecurity-concerns-in-abbott-labs

I know that’s a concern for Apple with their latest watches monitoring your heart and soon maybe even your blood sugar if they can figure out that technical challenge: 

https://www.bloomberg.com/news/articles/2023-02-22/apple-watch-blood-glucose-monitor-could-revolutionize-diabetes-care-aapl

If a heart device maker reported that a hack affected 1 million patients, it would be a significant cause for concern. A hack on medical devices could potentially compromise the safety and wellbeing of patients who rely on these devices to regulate their heart health.

The device maker would need to take immediate action to investigate the extent of the hack and the potential impact on patients. This could involve working with cybersecurity experts to identify the vulnerabilities in their systems and implementing measures to prevent future hacks.

The affected patients would also need to be notified of the breach and provided with information on how to protect themselves from any potential harm. This could involve advising them to monitor their device for any unusual activity and to report any concerns to their healthcare provider.

Ultimately, the device maker would need to take responsibility for the hack and work to restore trust with patients and healthcare providers. This could involve offering compensation or support to those affected by the breach, as well as implementing measures to prevent similar incidents in the future.

https://www.theguardian.com/technology/2017/aug/31/hacking-risk-recall-pacemakers-patient-death-fears-fda-firmware-update

Userlevel 6
Badge +2

I know that’s a concern for Apple with their latest watches monitoring your heart and soon maybe even your blood sugar if they can figure out that technical challenge: 

https://www.bloomberg.com/news/articles/2023-02-22/apple-watch-blood-glucose-monitor-could-revolutionize-diabetes-care-aapl

I'm hoping that Apple's security measures and software and hardware integrations will ensure better outcomes.

If it would be the medical device manufacturers eager for the personal identifiable information generated by patients' use of their products must reevaluate their threat model and ensure the organization has the security controls in place to protect sensitive. The incident illustrates how deeply networked connectivity has penetrated the medical device market, a development that has created new opportunities for hackers to steal personal information in an industry.

Emergency medical device provider is notifying more than 1 million individuals - including employees, patients and former patients - of a hacking incident that compromised their personal information.

https://blog.eset.ie/2023/03/14/heart-device-maker-says-hack-affected-1-million-patients/

According to a data breach report filed with the Maine Office of Attorney General on March 10, the medical equipment and software business Zoll Medical disclosed that it experienced a data breach that affected 1,004,443 individuals. First discovered on January 28, the hack. Patient names and Social Security numbers may have been obtained by the hackers .The business is providing those impacted by the breach with complimentary identity protection programmes.

https://www.databreachtoday.com/heart-device-maker-says-hack-affected-1-million-patients-a-21425

I know that’s a concern for Apple with their latest watches monitoring your heart and soon maybe even your blood sugar if they can figure out that technical challenge: 

https://www.bloomberg.com/news/articles/2023-02-22/apple-watch-blood-glucose-monitor-could-revolutionize-diabetes-care-aapl

I'm hoping that Apple's security measures and software and hardware integrations will ensure better outcomes.

They’ve been one of the better companies.  After the iCloud celebrity hack they got their shit together and now they’ve one of the best security organizations.

Userlevel 4
Badge +3

https://www.govinfosecurity.com/heart-device-maker-says-hack-affected-1-million-patients-a-21425

It looks like it was personal information that was stolen, but that’s the sort of information that would be helpful in hacking into actual connected devices, which already exist and have had security issues: https://www.ahajournals.org/doi/10.1161/CIRCULATIONAHA.118.037331

My CPAP has a device that communicated with the insurance company to ensure that I was using it a minimum number of hours a night.  Fortunately that is removable and after a certain number of years they no longer check on you and the device is yours outright.  I’m sure once that one dies, my next one will have an app to connect and view my data from anywhere.  Not sure if I’ll be enabling that feature.  Anyone else have any connected medical devices?

When the software of a medical equipment is compromised, it can be a very significant problem, particularly if the device is essential to the patient's health.

 

 

Reply