Medtronic found a cybersecurity vulnerability that could enable hackers to take control of certain electrosurgical generators, the company said Thursday.
The Department of Homeland Security issued an advisory on the vulnerability, rating it a 9.8 on a 10-point risk scale, reflecting the potential for a low-skilled hacker to remotely exploit the weakness.
Medtronic created a software patch for some of the affected devices but it is still working to provide a fix for all the generators.
The vulnerability affects Valleylab FT10 and Valleylab FX8, electrosurgical generators Medtronic acquired in its $42.9 billion takeover of Covidien which closed in early 2015. Healthcare professionals use the devices in surgical procedures, such as vessel sealing.
Medtronic said it's found several cybersecurity vulnerabilities that affect the generators. DHS identified a weakness in the system used to upload files as the biggest problem, awarding it a 9.8 score on the cybersecurity risk scale.
The company explained the potential harm that could stem from the weakness in a security bulletin to disclose the problem. "These vulnerabilities could allow an unauthorized individual to take control of an electrosurgical generator, either through the network or through physical access to the device and change various settings," Medtronic wrote.
DHS grouped the file upload vulnerability with two other weaknesses, which scored 5.8 and 7.0 on the risk scale. The other two vulnerabilities relate to the encryption of passwords and access to files kept on the devices.
Medtronic and DHS also disclosed a second set of vulnerabilities that affect the RFID security mechanism Valleylab FT10 and Valleylab LS10 used to check if surgical instruments are authentic. A hacker could use one of the RFID vulnerabilities to bypass the security mechanism, thereby enabling the use of instruments other than authentic Medtronic products. DHS rated the issue as 4.8 on the risk scale.
Work is underway to fix both sets of vulnerabilities. Medtronic has developed a patch for some versions of its FT10 devices that is designed to address all of the weaknesses. The company will notify users of FX8 and LS10 generators when a patch for their devices is available. In the meantime, Medtronic is encouraging users to take precautions such as only connecting the generators to the hospital network when necessary.
The DHS cybersecurity alerts for the two sets of vulnerabilities are the ninth and tenth covering Medtronic devices, as listed by the Cybersecurity and Infrastructure Security Agency. None of the previous vulnerabilities received a risk rating as high as the 9.8 awarded to the file upload weakness.