By Joe Carlson
As many as 750,000 heart devices made by Medtronic PLC contain a serious cybersecurity vulnerability that could let an attacker with sophisticated insider knowledge to harm a patient by altering programming on an implanted defibrillator, federal officials said today.
The Homeland Security Department, which oversees security in critical U.S. infrastructure including medical devices, issued an alert Thursday describing two types of computer-hacking vulnerabilities in 16 different models of Medtronic implantable defibrillators sold around the world, including some still on the market today. The vulnerability also affects bedside monitors that read data from the devices in patients’ homes and in-office programming computers used by doctors.
Implantable defibrillators are complex, battery-run computers implanted in patients’ upper chests to monitor the heart and send electric pulses or high-voltage shocks to prevent sudden cardiac death and treat abnormal heart beats. The vulnerabilities announced Thursday are limited to implantable defibrillators and do not affect Medtronic pacemakers.
Medtronic, run from offices in Fridley, says the risk of physical harm to defibrillator patients appears to be low, even though one of the two issues described by Homeland Security was assigned a CVSS base score of 9.3 out of 10. A higher CVSS base sore indicates a more severe vulnerability, but it assumes an attacker already has the knowledge and tools to mount the attack.
Although the vulnerabilities could be prevented by shutting off the devices’ wireless communications, Medtronic is urging doctors and patients to keep the devices’ wireless communications switched on. Remote patient monitoring can alert doctors to developing health or device problems, and has been shown to improve outcomes in heart-device patients.
The vulnerabilities were discovered by two different teams of security researchers and reported to Medtronic, which investigated the issue and then reported it to authorities, Medtronic officials said.
Medtronic is now actively monitoring its network for signs of that someone was trying to exploit the vulnerabilities. Medtronic officials say affected defibrillators contain a feature that puts the device into a safe mode and shuts down wireless communications upon receiving unusual commands.
Dr. Robert Kowal, chief medical officer for Medtronic’s cardiac rhythm and heart failure products, said in an interview that a malicious hacker would have to be within 20 feet or so of the patient, would need detailed knowledge of the devices’ inner workings like when they’re open to receiving transmissions, and have possession of specialized technology to pull off the hack.
“No. 1, this would be very hard to exploit to create harm,” Kowal said. “No. 2, we know of no evidence that anyone’s ever done this. And 3, we are working closely with FDA as this whole cyber issue evolves to make sure we are not only handling this problem but we’re working on future devices to optimize security vs. functionality.”
The FDA is not expected to issue a recall. Rather, the vulnerabilities will likely be addressed through a future software patch, as happened last year with a widespread vulnerability in implantable defibrillators made by St. Jude Medical, which was Minnesota-based until it was acquired by Chicago’s Abbott Laboratories in 2017.
Security researcher Ben Ransford, CEO of medical-device security firm Virta Labs, said he agreed with the assessments of Medtronic and federal officials that the vulnerabilities in the Medtronic defibrillators were not serious enough that patients should consider having replacement surgery.
“If I had one of these devices, I would not be concerned that this meant an attack is coming, or anything like that,” said Ransford, who was not involved in detecting or investigating the vulnerabilities.
But Ransford did say it was surprising that issues like the ones in Thursday’s advisory continue to crop up in Medtronic defibrillators, since this variety of vulnerability has been known since 2008.
A decade ago Ransford was part of a team of researchers — a team that also included the FDA’s current chief medical officer for devices, Dr. William Maisel, before he got that job — that tested a bacon-wrapped Medtronic Maximo defibrillator and came to the surprising conclusion that it could be hacked.
In the groundbreaking paper, the researchers reported that they could cause their compromised device to issue shocks on command, shut down its lifesaving features, and change functionality so the battery would wear out.
“It looks like a manufacturer still has some work to do,” Ransford said. “It looks like they haven’t quite solved the problem yet, after a good ten years of knowing about this class of problems.”
Ransford said the effects of the attack appeared to be essentially the same, regardless of the specific route used to attack the device. Medtronic officials said the vulnerabilities described in the 2008 paper involved totally different communications protocol.
The Homeland Security advisory describes two specific vulnerabilities in the Medtronic defibrillators.
The more serious of the two is a vulnerability that could allow improper access to data sent between a defibrillator and an external device like an at-home monitor. The system doesn’t use formal authentication or authorization protections, which means an attacker with short-range access to the device could inject or modify data and change device settings, the advisory says.
A second vulnerability allows an attackers to read sensitive data streaming out of the device, which could include the patient’s name and past health data stored on their device. The system does not use data encryption, the advisory says.
The common connection between all of the vulnerabilities and affected devices is Medtronic’s proprietary Connexus “telemetry protocol” or communication system.
The FDA first approved a device with the Connexus protocol in 2006. At the time, the system was hailed as a first-of-its-kind breakthrough that would make office visits more efficient and allow data to automatically be transmitted from an implanted device to an at-home monitor to the doctor’s office via the internet.
However, Kowal noted that the vulnerabilities in Thursday’s alert must be exploited in close physical proximity to the patient.
“Nothing about this issue is related to access via the internet,” he said. “The only way someone could gain access to the wireless system and try to do anything is in proximity to the patient. Because of the signal strength, you’d have to be within about 20 feet of the device.”
Thursday’s advisory affects two type of defibrillators: standard implantable cardioverter defibrillators (ICDs) as well as more complex cardiac resynchronization therapy defibrillators (CRT-Ds) that can deliver current to both sides of the heart. Some of the models are approved to be compatible with magnetic-resonance imaging, or MRI.
The advisory includes all models of these defibrillators: Amplia MRI CRT-Ds, Claria MRI CRT-Ds, Compia MRI CRT-Ds, Concerto and Concerto II CRT-Ds, Consulta CRT-Ds, Evera and Evera MRI ICDs, Maximo II ICDs and CRT-Ds, Mirro MRI ICDs, Nayamed ND ICDs, Primo MRI ICDs, Protecta CRT-Ds and ICDs, Secura ICDs, Virtuoso ICDs, and Virtuoso II ICDs. The advisory also pertains to: CareLink 2090 device programmers, Model 2490C CareLink Monitors, and Models 24950 and 24952 MyCareLink Monitors.
Joe Carlson � 612-673-4779
This article is written by Joe Carlson from Star Tribune and was legally licensed via the Tribune Content Agency through the NewsCred publisher network. Please direct all licensing questions to firstname.lastname@example.org.