Medtronic discloses wireless cybersecurity flaw in several implantable cardiac devices

Medtronic and the FDA recommended that the devices continue to be used, saying that the benefits of remote monitoring outweighed the practical risks of a cyberattack. (Pixabay)

Alongside a safety notice from the FDA, Medtronic has disclosed a potential cybersecurity vulnerability in a number of its implantable cardiac devices, including defibrillators and resynchronization therapy hardware.

The security flaw was found in the company’s Conexus wireless communication protocol, which uses short-range radio frequencies to transmit unencrypted data to program the devices or gather information from the implants.

According to Medtronic’s disclosure (PDF), the vulnerabilities could allow access and changes to the settings of the device, at-home monitors or programmers in the clinic. The medtech giant said there have been no reports of a related cyberattack, privacy breach or patient harm.


Webinar: Meet the Challenge of Complex Protein Expression

As market demand continues to rise for more potent and effective therapeutics, biologic pipelines are evolving from standard antibody formats to next-generation biologics (NGBs). In this webinar we will discuss and demonstrate application through case studies, two significant enhancements to Lonza’s GS Xceed® expression system to help address the challenges of NGBs.

The affected devices cover models across several product lines, including the Amplia, Claria, Compia, Concerto, Consulta and Viva CRT-D devices, plus the Evera, Maximo II, Mirro, Nayamed ND, Primo, Protecta, Secura, Virtuoso and Visia implantable defibrillators, as well as certain CareLink monitors and programmers. Conexus telemetry is not used in Medtronic’s pacemakers, including those with Bluetooth functionality.

RELATED: FDA planning to require cybersecurity checks in device submissions

Medtronic recommended that the devices continue to be used, saying that the benefits of remote monitoring outweighed the practical risks of cyberattack—in order to exploit the vulnerability, an attacker would need to have specialized medical device knowledge and be physically near the device in order to intercept or transmit a signal, the company said.

In addition, the devices would have to be primed to receive wireless communications, such as during a clinical visit or during brief data uploads, according to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, which also issued a vulnerability notice.

The FDA recommended that patients keep their home monitors plugged in to ensure timely transmissions of wireless alerts and cardiac data, and said that reprogramming or updating the devices is not required at this time.

RELATED: Medtronic disables updates for pacemaker programmers over cybersecurity concerns

Last fall, Medtronic halted updates to some of its CareLink pacemaker programmers, after vulnerabilities were identified in the update download process that could allow an individual to hijack the process and fill the devices with non-Medtronic software. The devices could still receive updates via a USB port.

Suggested Articles

J&J’s Ethicon unit received an FDA clearance for its Vistaseal applicators that spray a biologic sealant from Grifols to help stem surgical bleeding.

Gilead Sciences is paying Nurix $45 million upfront in a deal that could reach $2.3 billion in value if all milestones are met and royalties realized.

Bio-Techne’s urine test has received a breakthrough device designation from the FDA for ruling out unnecessary tissue biopsies.