Warnings Issued About Medtronic Cardiac DevicesWireless Communication Weakness Could Allow Attackers to Manipulate Products
Federal regulators and medical device maker Medtronic have issued warnings about cybersecurity vulnerabilities in certain cardiac devices from the manufacturer that could allow attackers to manipulate the products' functionality, posing potential safety risks to patients.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
On Thursday, the Food and Drug Administration, the Department of Homeland Security and Medtronic each issued separate but related alerts pertaining to vulnerabilities identified by several external security researchers.
The vulnerabilities involve a lack of access control - no implemented authentication - and a lack of encryption used on wirelessly transmitted data.
No Attacks Known
In a statement to Information Security Media Group, Medtronic says that approximately 750,000 implantable cardioverter defibrillators and implantable cardiac resynchronization therapy/defibrillator devices are impacted.
The vulnerabilities were discovered in wireless telemetry technology used for communication between Medtronic's implantable cardiac defibrillators, clinic programmers, and home monitors, the FDA says.
"Although the system's overall design features help safeguard patients, Medtronic is developing updates to further mitigate these cybersecurity vulnerabilities," FDA says in its alert.
To date, the FDA is not aware of any reports of patient harm related to these cybersecurity vulnerabilities, the agency adds.
In its related alert, DHS writes that the vulnerabilities involve "improper access controls" and "cleartext" - or unencrypted - communication transmission of sensitive information.
Successful exploitation of these vulnerabilities may allow an attacker or other unauthorized user with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency communication of the Medtronic proprietary "Conexus telemetry system," DHS writes.
"These kinds of devices should not have this kind of vulnerability. Security and privacy should be built in, by design, into medical devices."
—David Finn, CynergisTek
Such attacks could potentially impact product functionality and/or allow access to transmitted sensitive data, DHS says. "The result of successful exploitation of these vulnerabilities may include the ability to read and write any valid memory location on the affected implanted device and therefore impact the intended function of the device."
DHS notes that Medtronic's Conexus telemetry protocol uses wireless radio frequency to enable communication between the devices and allows Medtronic programmers and monitoring accessories to do one or more of the following:
- Remotely transmit data from a patient's implanted cardiac device to a specified healthcare clinic for remote monitoring;
- Allow clinicians to display and print device information in real-time;
- Allow clinicians to program implanted device settings.
In the statement provided to Information Security Media Group, Medtronic says it is developing a series of software updates to better secure the wireless communication affected by these issues. The first update is scheduled for later in 2019, subject to regulatory approvals.
In the meantime, "Medtronic and the FDA recommend that patients and physicians continue to use devices and technology as prescribed and intended, as this provides for the most efficient way to manage patients' devices and heart conditions," the Medtronic statement to ISMG notes.
The company has posted on its website the full list of cardiac products impacted by the warning.
The company also notes that its Conexus telemetry is not used in Medtronic pacemakers, including those with Bluetooth wireless functionality. Also, the company's CareLink Express monitors and the CareLink Encore programmers - Model 29901- used by some hospitals and clinics do not use Conexus telemetry, Medtronic notes.
David Finn, executive vice president at security consulting firm CynergisTek and a former healthcare CIO, says any vulnerability that allows an unauthorized user access to an implantable device, home monitor or programmer is "very serious," particularly given these particular Medtronic problems are associated with defibrillators.
"Defibrillation is a treatment used for life-threatening cardiac dysrhythmias. If I needed one of these devices, I'd be very concerned," he says. However, "we understand there is a vulnerability and it is clear the consequence is very high, but what really is the threat? You'd also have to someone who understood enough about the devices to be able to 'program' them to do harm with them in close proximity," he notes.
As for the lack of encryption used in the transmission of data, that too, is a common weakness in medical devices today, Finn notes.
"Authentication and encryption are really two key foundational elements to security. We will see more of the new medical devices include encryption," he says.
"I'd agree with the FDA that there is no need to replace the implantable defibrillator - that is another set of risks. But simply stated, these kinds of devices should not have this kind of vulnerability. Security and privacy should be built in, by design, into medical devices," he says.
These alerts are the latest warnings issued by regulators and Medtronic related to cybersecurity vulnerabilities identified in some of the company's cardiac products.
For instance, last October, the FDA announced a voluntary recall by Medtronic of certain internet-connected programmers for implantable cardiac devices because of cybersecurity vulnerabilities that could also potentially be exploited to allow an unauthorized user to alter the programmer's functionality (see Medtronic Cardiac Devices Recalled Due to Cyber Concerns).
Also, last December, Medtronic and DHS issued alerts about the lack of encryption on certain cardiac programming devices that also could potentially allow inappropriate access to patient information contained on the programmer (see Alerts: Some Cardiac Programmers Put PHI at Risk).
A Medtronic spokesman tells ISMG that the 2018 recall and product alert involving those cyber vulnerabilities are unrelated to the latest warnings.
"These are different vulnerabilities that impact certain implantable cardioverter defibrillators and implantable cardiac resynchronization therapy/defibrillator devices, programmers and home monitors," he says.