Medtronic discloses wireless cybersecurity flaw in several implantable cardiac devices

Alongside a safety notice from the FDA, Medtronic has disclosed a potential cybersecurity vulnerability in a number of its implantable cardiac devices, including defibrillators and resynchronization therapy hardware.

The security flaw was found in the company’s Conexus wireless communication protocol, which uses short-range radio frequencies to transmit unencrypted data to program the devices or gather information from the implants.

According to Medtronic’s disclosure (PDF), the vulnerabilities could allow access and changes to the settings of the device, at-home monitors or programmers in the clinic. The medtech giant said there have been no reports of a related cyberattack, privacy breach or patient harm.

The affected devices cover models across several product lines, including the Amplia, Claria, Compia, Concerto, Consulta and Viva CRT-D devices, plus the Evera, Maximo II, Mirro, Nayamed ND, Primo, Protecta, Secura, Virtuoso and Visia implantable defibrillators, as well as certain CareLink monitors and programmers. Conexus telemetry is not used in Medtronic’s pacemakers, including those with Bluetooth functionality.

RELATED: FDA planning to require cybersecurity checks in device submissions

Medtronic recommended that the devices continue to be used, saying that the benefits of remote monitoring outweighed the practical risks of cyberattack—in order to exploit the vulnerability, an attacker would need to have specialized medical device knowledge and be physically near the device in order to intercept or transmit a signal, the company said.

In addition, the devices would have to be primed to receive wireless communications, such as during a clinical visit or during brief data uploads, according to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, which also issued a vulnerability notice.

The FDA recommended that patients keep their home monitors plugged in to ensure timely transmissions of wireless alerts and cardiac data, and said that reprogramming or updating the devices is not required at this time.

RELATED: Medtronic disables updates for pacemaker programmers over cybersecurity concerns

Last fall, Medtronic halted updates to some of its CareLink pacemaker programmers, after vulnerabilities were identified in the update download process that could allow an individual to hijack the process and fill the devices with non-Medtronic software. The devices could still receive updates via a USB port.