Any connected device these days is a potential target of hackers — and that now includes defibrillators.
Implantable defibrillators made by Minneapolis, Mn.-based Medtronic could allow an attacker to interfere with and collect sensitive data from the devices, the Department of Homeland Security (DHS) said in a medical advisory.
A defibrillator is used to treat a life-threatening cardiac event by resetting the electrical state of the heart so that it can beat normally. In Medtronic's case, the defibrillator uses an unsecured protocol to communicate with other devices.
The vulnerability only requires “low skill level,” the DHS advisory said.
The issue affects certain ICD (implantable cardioverter defibrillator) and CRT-Ds (implantable cardiac resynchronization therapy/defibrillator device) models using the Conexus telemetry system, Medtronic told Fox News in a statement.
The problem does not affect pacemakers, insertable cardiac monitors or other Medtronic devices, the company said. “To date, no cyber attack, privacy breach, or patient harm has been observed or associated with these issues,” Medtronic added.
A key vulnerability is that the Conexus telemetry protocol (an automated communications process to collect data) used by the devices does not implement authentication or authorization, according to the DHS.
“An attacker with adjacent short-range access to an affected product, in situations where the product’s radio is turned on, can inject, replay, modify, and/or intercept data within the telemetry communication,” the DHS advisory said.
The DHS advisory listed about 20 products and versions of Medtronic devices affected.
Connected and vulnerable
Medical devices are increasingly connected to the internet, hospital networks and to other devices, the Food and Drug Administration (FDA) said in a separate general advisory.
“These same features also increase the risk of potential cybersecurity threats,” the FDA said.
"We’ve created a mass of medical devices that have no security built into them," Nadir Izrael, CTO & Co-Founder, Armis, an IoT (Internet of Things) security firm, told Fox News.
"I speak with healthcare companies regularly, and I’ve seen the ways that connected devices in healthcare settings are being targeted by malicious actors," Izrael continued. "I’ve seen MRI machines talking to servers in Russia, a medical crash cart being used to access Facebook or phishing websites, and even an infusion pump infected by malware that was still connected to a patient."
Medtronic said it is developing software updates to improve the security of wireless communication. The first update is scheduled for later in 2019, subject to regulatory approvals.
Medtronic and the FDA recommend that patients and physicians continue to use devices as prescribed and intended, “as this provides for the most efficient way to manage patients’ devices and heart conditions,” the company said.
Defensive measures, to minimize the risk, that users can take include:
- Maintain physical control over home monitors and programmers
- Use only home monitors, programmers, and implantable devices obtained directly from your healthcare provider or a Medtronic representative to ensure integrity of the system
- Do not connect unapproved devices to home monitors and programmers through USB ports or other physical connections