The US Food and Drug Administration is warning patients using Medtronic defibrillators and home monitors that their devices are vulnerable to cybersecurity issues and could be hacked.
The agency said it identified cybersecurity issues in the wireless communication systems Medtronic devices use to send signals between the implantable cardiac devices, clinic programmers and home monitors. Because the communication systems are unencrypted, they could be accessed and changed by outside hackers—affecting the devices’ settings and their ability to save lives. The cybersecurity issue is affecting more than 20 models of defibrillators, monitors and programmer units manufactured by Medtronic.
The types of devices affected are across Medtronic’s range of products, including cardiac health devices that are particularly necessary for health. Medtronic’s implanted cardiac defibrillators are used by heart patients to correct irregular heartbeat or dangerously fast heartbeat. The threat also affects Medtronic’s resynchronization therapy defibrillators—commonly called pacemakers—that deliver small electrical charges to a patient’s heart to help maintain the flow of blood and heartbeat.
These 20 Medtronic cardiac devices all use a wireless technology called Conexus, which links the implanted defibrillators with home monitoring devices, as well as linking them with the patient’s doctors and device programmers who can help maintain patient health and safety. Security researchers in Europe discovered the weakness, finding that the Conexus communication system transmits patient data both without encryption and without authentication, making them prone to hacking by outside attackers.
Medtronic Inc., based in Minnesota, is the largest medical device company in the world. After the FDA’s warning, the company admitted that many of its implanted cardiac defibrillators, programmers and home monitors use wireless communications that are not encrypted—leaving them vulnerable to an attacker hacking in and changing the settings of the lifesaving devices.
Alongside the FDA’s warning, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency emphasized the severity of the threat, giving the flaw a vulnerability score of 9.3 out of 10—in the top levels of its warning scale. The Agency warned that this cybersecurity vulnerability in the devices could allow an attacker to hack into the communications system and rewrite its settings.
But despite these warnings, the FDA is advising all users of Medtronic devices to continue using them, because the benefits outweigh the risks of a cyberattack. The agency said it was not aware of any reports of patients being harmed by this cybersecurity weakness, only that the vulnerabilities are there.
The FDA is also advising cardiologists, cardiac surgeons, primary care physicians, and other health care professionals treating patients with Medtronic devices to counsel their patients about the hacking threat. But, the agency says, these health care professionals should still advise their patients to continue using the Medtronic monitors, despite the risk of hacking.
This is not the only time that Medtronic’s health devices have shown to be vulnerable to cyberattack: just last October, the company’s Carelink programmers and pacemakers were also found to have weak encryption that is vulnerable to hacking. In response to that threat on Carelink devices, Medtronic shut down all of its internet updates on these health devices.