Medtronic discloses wireless cybersecurity flaw in several implantable cardiac devices

cybersecurity
Medtronic and the FDA recommended that the devices continue to be used, saying that the benefits of remote monitoring outweighed the practical risks of a cyberattack. (Pixabay)

Alongside a safety notice from the FDA, Medtronic has disclosed a potential cybersecurity vulnerability in a number of its implantable cardiac devices, including defibrillators and resynchronization therapy hardware.

The security flaw was found in the company’s Conexus wireless communication protocol, which uses short-range radio frequencies to transmit unencrypted data to program the devices or gather information from the implants.

According to Medtronic’s disclosure (PDF), the vulnerabilities could allow access and changes to the settings of the device, at-home monitors or programmers in the clinic. The medtech giant said there have been no reports of a related cyberattack, privacy breach or patient harm.

FREE DAILY NEWSLETTER

Like this story? Subscribe to FierceBiotech!

Biopharma is a fast-growing world where big ideas come along every day. Our subscribers rely on FierceBiotech as their must-read source for the latest news, analysis and data in the world of biotech and pharma R&D. Sign up today to get biotech news and updates delivered to your inbox and read on the go.

The affected devices cover models across several product lines, including the Amplia, Claria, Compia, Concerto, Consulta and Viva CRT-D devices, plus the Evera, Maximo II, Mirro, Nayamed ND, Primo, Protecta, Secura, Virtuoso and Visia implantable defibrillators, as well as certain CareLink monitors and programmers. Conexus telemetry is not used in Medtronic’s pacemakers, including those with Bluetooth functionality.

RELATED: FDA planning to require cybersecurity checks in device submissions

Medtronic recommended that the devices continue to be used, saying that the benefits of remote monitoring outweighed the practical risks of cyberattack—in order to exploit the vulnerability, an attacker would need to have specialized medical device knowledge and be physically near the device in order to intercept or transmit a signal, the company said.

In addition, the devices would have to be primed to receive wireless communications, such as during a clinical visit or during brief data uploads, according to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, which also issued a vulnerability notice.

The FDA recommended that patients keep their home monitors plugged in to ensure timely transmissions of wireless alerts and cardiac data, and said that reprogramming or updating the devices is not required at this time.

RELATED: Medtronic disables updates for pacemaker programmers over cybersecurity concerns

Last fall, Medtronic halted updates to some of its CareLink pacemaker programmers, after vulnerabilities were identified in the update download process that could allow an individual to hijack the process and fill the devices with non-Medtronic software. The devices could still receive updates via a USB port.

Suggested Articles

The FDA warned healthcare providers about cybersecurity vulnerabilities within certain clinical information systems made by GE Healthcare.

Weeks after receiving FDA approval for its in-office eardrum tube device, Tusker Medical has been picked up by Smith & Nephew for an undisclosed sum.

What a difference a day makes in biotech.