Boston Scientific—Model 3120 ZOOM LATITUDE Programmer/Recorder/Monitor Systems: Manufacturer Provides Compensating Controls to Protect Patient Health Information Vulnerability

​ECRI Institute's complete weekly summary of medical device hazard and recall information is available in ECRI Institute's Health Devices Alerts(HDA). For more information about HDA, contact us at clientservices@ecri.org.

The above PRM is used to interrogate and program Boston Scientific implantable electronic cardiac devices like pacemakers and defibrillators. In an October 19, 2017, product security advisory, the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) states that the above PRM system does not encrypt patient health information (PHI) saved to the hard drive, potentially allowing an unauthorized user access to PHI. Also, the PRM system uses a hard-coded cryptographic key to encrypt PHI before it is transferred to removable media. These vulnerabilities cannot be exploited remotely and require physical access to the PRM and stored media. No known public exploits specifically target these vulnerabilities; however, an attacker with low skill would be able to exploit these vulnerabilities. For further information regarding the...