Medtronic taps IoT security startup Sternum to prevent pacemaker hacks

In much the same way that the sternum protects the heart, Medtronic has turned to aptly named cybersecurity startup Sternum to protect its cardiac pacemakers from hackers.

Their collaboration comes only a few months after the federal Cybersecurity and Infrastructure Security Agency issued a warning about vulnerabilities in Medtronic’s MyCareLink patient monitoring system. Even hackers of “low skill level” could break into the system using Bluetooth and potentially manipulate a connected pacemaker, the agency said.

The potential breach was first detected and reported to Medtronic by none other than Sternum itself.

According to the December notice, Medtronic had not detected any breaches or other cyberattacks related to that vulnerability. The company issued an update to the system’s connected smartphone app to patch the issue.

RELATED: FDA names its first medical device cybersecurity director

The new partnership with Sternum is more of a long-term fix. With the help of the Israel-based cybersecurity provider, Medtronic has now secured approximately 100,000 of its devices, TechCrunch reports.

Sternum’s platform, unveiled this month, protects existing Internet of Things devices with a simple software update rather than a total coding rewrite.

The platform centers on a cloud-based monitoring and analytics system that provides constant updates about the safety of protected devices and detects hacking attempts in real time. In response to any potential harm, the system issues automatic updates to the devices' security protocols.

“There’s this endless race against vulnerability, so when a company discovers a vulnerability, they need to issue an update, but updating can be very difficult in the medical space, and until the update happens, the devices are vulnerable,” Sternum CEO Natali Tshuva told TechCrunch.

“Therefore, we created an autonomous security that operates from within the device that can protect it without the need to update and patch vulnerabilities,” Tshuva said.

RELATED: FDA warns of cybersecurity risks in Bluetooth Low Energy-equipped medical devices

Medtronic has faced a flurry of cybersecurity issues among its array of connected medical devices in the last several years.

In late 2018, for example, the company wrote a letter to healthcare professionals announcing that it would disable wireless updates for two of its CareLink devices; updates could still be completed via USB port. The issue was resolved in January 2020, at which time Medtronic said the devices could resume online updates.

And in March 2019, Medtronic disclosed potential vulnerabilities in several of its implantable cardiac devices linked to the Conexus wireless communication protocol, affecting defibrillators, resynchronization therapy hardware, CareLink monitors and more. Though the security problems meant hackers could gain access to the devices, connected monitors or clinical programming devices, both Medtronic and the FDA said the devices should continue to be used.

Medtronic finished securing all affected devices earlier this month, when it noted, “To date, no cyberattack, privacy breach or patient harm has been observed or associated with these vulnerabilities.”