Over 90 Total Lots Up For Auction at One Location - WA 04/08

DHS warns some Medtronic implantable defibrillators vulnerable to hacking

by Thomas Dworetzky, Contributing Reporter | April 03, 2019
Cardiology
The Department of Homeland Security has issued an alert over hacking vulnerabilities in 16 Medtronic implantable defibrillator models – a total of as many as 750,000 heart devices.

“The vulnerabilities apply to the proprietary Medtronic Conexus radio frequency wireless telemetry protocol, associated with some Medtronic ICDs (implantable cardioverter defibrillators) and CRT-Ds (cardiac resynchronization therapy defibrillators),” Medtronic said in its own alert about the issue.

According to DHS, the exploit could let an attacker “interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data.”
stats
DOTmed text ad

Reveal Mobi Pro now available for sale in the US

Reveal Mobi Pro integrates the Reveal 35C detector with SpectralDR technology into a modern mobile X-ray solution. Mobi Pro allows for simultaneous acquisition of conventional & dual-energy images with a single exposure. Contact us for a demo at no cost.

stats
To hack the devices, a fairly low level of expertise is needed, just an “RF device capable of transmitting or receiving Conexus telemetry communication, such as a monitor, programmer, or software-defined radio (SDR), and short-range access to the devices when RF is active.”

Once the devices are exploited a hacker can read or write any location in their memory.

A second vulnerability, of less potential damage, would let a hacker read information stored in the device, such as a patient’s name and health data.

“To date, no cyberattack, privacy breach, or patient harm has been observed or associated with these vulnerabilities.

Conexus telemetry is not used in Medtronic pacemakers (including those with Bluetooth wireless functionality),” noted the company, adding that, “CareLink Express monitors and the CareLink Encore programmers (Model 29901) used by some hospitals and clinics do not use Conexus telemetry.”

At present, the company recommended that “patients use only bedside monitors obtained from a doctor or from Medtronic directly, to keep them plugged in so they can receive software updates, and that patients maintain 'good physical control' over the monitor,” according to the Star Tribune.

While it is possible to disable the wireless on the devices, the company urged patients and healthcare providers to continue to use it, noting that, “the benefits of remote monitoring outweigh the practical risk that these vulnerabilities could be exploited.” The company also advised that it is working on “updates to mitigate these vulnerabilities.”

Dr. Robert Kowal, chief medical officer for Medtronic’s cardiac rhythm and heart failure products, told the Star Tribune that to exploit the device a hacker would have to know its inner workings – and be about 20 feet or closer.

You Must Be Logged In To Post A Comment