Medical device company Medtronic admits that many of its implanted cardiac defibrillators have flaws that are vulnerable to cyber attacks.
External security researchers from KU Leuven, University of Birmingham disclosed the potential cybersecurity vulnerabilities in some Medtronic products.
Vulnerable To Hackers
Medtronic's affected products are not using formal authentication or authorization protections. This means that an unauthorized individual can access and potentially change the settings of an implantable device, home monitor, or clinic programmer.
The Cybersecurity and Infrastructure Security Agency of the U.S. Department of Homeland Security also issued a warning that the vulnerabilities in several Medtronic devices may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency communication.
Medtronic got a flaw vulnerability high score of 9.3 on a 10-point scale.
Products and versions of Medtronic devices using the wireless Conexus telemetry protocol are affected including implantable defibrillators, cardiac resynchronization therapy defibrillators, and bedside monitors.
Conexus links the defibrillators to home monitors and with doctors and device programmers in remote locations. As many as 750,000 Medtronic heart devices are covered by the security flaw.
This is not the first time that Medtronic faced security issues with its devices. In October 2018, the company has disabled internet updates for almost 34,000 CareLink programming devices that are used to access implanted pacemakers due to vulnerabilities to cyber attacks.
What Are Implantable Cardiac Defibrillators?
The implantable cardiac defibrillator or ICD is a battery-run device implanted under a person's chest to keep track of the heart rate. Thin wires connect the ICD to the heart. If an abnormal heart rhythm is detected, the device will deliver electric pulses or high-voltage shocks to restore a normal heartbeat if the heart is beating too fast.
ICDs are also useful in preventing sudden death in patients with ventricular tachycardia or fibrillation. This device may have a role in preventing cardiac arrest in high-risk patients who are at risk for life-threatening ventricular arrhythmias
The company said it is conducting security checks to look for unauthorized or unusual activity that could be related to the vulnerabilities.
Medtronic recommends that patients use only the remote monitor obtained directly from a health care provider. Patients must also maintain good physical control over the remote monitor and report any concerning behavior regarding these products to Medtronic.
Patients must also keep the monitor powered on to receive transmissions programmed by the physician.
The Food and Drugs Administration recommends that health care providers continue using the CareLink programmers for programming, testing, and evaluation of ICD and CRT-D patients.
"The benefits of remote wireless monitoring of an implantable device outweigh the practical risk of an unauthorized user exploiting of these devices' vulnerabilities," the FDA advisory stated.