Medtronic discloses wireless cybersecurity flaw in several implantable cardiac devices

cybersecurity
Medtronic and the FDA recommended that the devices continue to be used, saying that the benefits of remote monitoring outweighed the practical risks of a cyberattack. (Pixabay)

Alongside a safety notice from the FDA, Medtronic has disclosed a potential cybersecurity vulnerability in a number of its implantable cardiac devices, including defibrillators and resynchronization therapy hardware.

The security flaw was found in the company’s Conexus wireless communication protocol, which uses short-range radio frequencies to transmit unencrypted data to program the devices or gather information from the implants.

According to Medtronic’s disclosure (PDF), the vulnerabilities could allow access and changes to the settings of the device, at-home monitors or programmers in the clinic. The medtech giant said there have been no reports of a related cyberattack, privacy breach or patient harm.

Webinar

How ICON, Lotus, and Bioforum are Improving Study Efficiency with a Modern EDC

CROs are often at the forefront of adopting new technologies to make clinical trials more efficient. Hear how ICON, Lotus Clinical Research, and Bioforum are speeding database builds and automating reporting tasks for data management.

The affected devices cover models across several product lines, including the Amplia, Claria, Compia, Concerto, Consulta and Viva CRT-D devices, plus the Evera, Maximo II, Mirro, Nayamed ND, Primo, Protecta, Secura, Virtuoso and Visia implantable defibrillators, as well as certain CareLink monitors and programmers. Conexus telemetry is not used in Medtronic’s pacemakers, including those with Bluetooth functionality.

RELATED: FDA planning to require cybersecurity checks in device submissions

Medtronic recommended that the devices continue to be used, saying that the benefits of remote monitoring outweighed the practical risks of cyberattack—in order to exploit the vulnerability, an attacker would need to have specialized medical device knowledge and be physically near the device in order to intercept or transmit a signal, the company said.

In addition, the devices would have to be primed to receive wireless communications, such as during a clinical visit or during brief data uploads, according to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, which also issued a vulnerability notice.

The FDA recommended that patients keep their home monitors plugged in to ensure timely transmissions of wireless alerts and cardiac data, and said that reprogramming or updating the devices is not required at this time.

RELATED: Medtronic disables updates for pacemaker programmers over cybersecurity concerns

Last fall, Medtronic halted updates to some of its CareLink pacemaker programmers, after vulnerabilities were identified in the update download process that could allow an individual to hijack the process and fill the devices with non-Medtronic software. The devices could still receive updates via a USB port.

Suggested Articles

Sanofi will look to pull back from its three-year-old relationship with Verily and their virtual diabetes clinic, Onduo.

NASH leaders weigh in on the need for a drug for the disease and the challenges in getting it to patients.

AstraZeneca is linking up with DeepMatter, a big data firm focused on achieving reproducibility in chemistry, to help improve its compound synthesis.