The Department of Homeland Security has flagged a cybersecurity weakness in the system Medtronic uses to transmit data from certain cardiac implants.
DHS gave the cybersecurity weakness a rating of 9.3 out of 10 on a vulnerability scoring system, indicating its belief that the problem is critical.
The vulnerability could enable a hacker to change the settings on defibrillator implants, but Medtronic thinks the benefits of the remote monitoring feature outweigh the risks.
The vulnerability affects devices that use Medtronic's Conexus radiofrequency wireless telemetry protocol, such as the company's implantable cardioverter defibrillators and cardiac resynchronization therapy defibrillators. Medtronic's pacemakers are not affected by the vulnerability.
There is no evidence anyone has exploited the vulnerability. But, in theory, a hacker in the vicinity of a patient could interfere with communication via Conexus when the radiofrequency function is active. By interfering with the communication system, a hacker could gain access to data sent by the device or modify its settings. The weakness stems from Conexus' lack of encryption, authentication or authorization.
In its report, DHS said a hacker would only need a low skill level to exploit the weakness, contributing to it classifying the problem as critical. Medtronic framed the problem differently in its notice, stating that while someone may be able to access Conexus they would need detailed knowledge of medical devices, wireless telemetry and electrophysiology to harm a patient.
Medtronic argues the risk is further diminished by a range factors. Notably, a hacker would need to be within 20 feet of a patient at a time when the radiofrequency function is active. The function is active during follow-up clinic visits and for other brief, hard-to-predict windows.
To further mitigate the risk, Medtronic has "applied additional controls for monitoring and responding to improper use of the Conexus telemetry protocol," according to DHS. Medtronic is also working on updates that will strengthen its cybersecurity defenses, according to FDA.
Until those defenses are in place, DHS is advising users to take extra precautions, for example by maintaining "good physical control over home monitors and programmers." That precaution could stop someone from being close enough to the device to gain access.
In recent years, DHS has issued a growing number of cybersecurity notices covering medical devices from companies including Abbott, BD, GE Healthcare, Johnson & Johnson and Philips. Many of these notices related to weaknesses that received far lower scores on the vulnerability scale than Medtronic's issue.
Affected Medtronic devices, according to FDA, include:
- Amplia MRI CRT-D, all models
- Claria MRI CRT-D, all models
- Compia MRI CRT-D, all models
- Concerto CRT-D, all models
- Concerto II CRT-D, all models
- Consulta CRT-D, all models
- Evera MRI ICD, all models
- Evera ICD, all models
- Maximo II CRT-D and ICD, all models
- Mirro MRI ICD, all models
- Nayamed ND ICD, all models
- Primo MRI ICD, all models
- Protecta CRT-D and ICD, all models
- Secura ICD, all models
- Virtuoso ICD, all models
- Virtuoso II ICD, all models
- Visia AF MRI ICD, all models
- Visia AF ICD, all models
- Viva CRT-D, all models
- CareLink 2090 Programmer
- MyCareLink Monitor, models 24950 and 24952
- CareLink Monitor, Model 2490C