The Department of Homeland Security (DHS) has flagged a weakness in the security of a device for programming Medtronic’s neurostimulator implants. Exploiting the vulnerability would give a hacker access to personal health information.
After being alerted to the vulnerability by security company WhiteScope, the DHS put out a notice alerting users to the risk the N’Vision clinician programmer could leak personal information.
Physical access to an N’Vision flash card is needed to access the information. Once that barrier is overcome, an attacker would need little skill to access the information, which isn’t encrypted by the device at rest. The issue was given a score of 4.6, classing it as a medium-severity vulnerability.
Medtronic is yet to develop a product update to address the vulnerability but has highlighted steps users can take to minimize the risk. These center on ensuring the flash cards do not fall into the wrong hands.
The warning is the latest in a series of medtech-related notices put out by the DHS over the past month. In that time, the DHS has flagged vulnerabilities with products from Abbott, BD, GE Healthcare, Johnson & Johnson and Philips. The flurry of activity means the DHS has issued as many medtech warnings over the past four weeks as it did in all of the first quarter of the year.
That acceleration continues the trend seen over the past 18 months. The number of medtech-related warnings issued so far this year is already in the same ballpark as the figure for all of 2017.
The risks posed by the vulnerabilities varies from product to product, both because of differences in the ease of exploiting them and the likely fallout from doing so. But the National Cybersecurity and Communications Integration Center is advising users to take mitigating steps even when the chances of a breach are slim.
Medtronic issued a statement about the DHS notification.
"Medtronic was notified by an external security researcher of a potential vulnerability related to the Medtronic N’Vision 8840 Physician Programmer, a small, handheld device used solely by healthcare professionals to program certain Medtronic neuromodulation devices. The researcher’s report details that the compact flash application card used in the physician programmer may contain unencrypted patient personal health information if that information is not deleted following individual patient device programming," the company said.