As many as 750,000 heart devices made by Medtronic PLC contain a serious cybersecurity vulnerability that could let an attacker with sophisticated insider knowledge to harm a patient by altering programming on an implanted defibrillator, federal officials said March 21.
The Homeland Security Department, which oversees security in critical U.S. infrastructure including medical devices, issued an alert March 21 describing two types of computer-hacking vulnerabilities in 16 different models of Medtronic implantable defibrillators sold around the world, including some still on the market today. The vulnerability also affects bedside monitors that read data from the devices in patients’ homes and in-office programming computers used by doctors.
Implantable defibrillators are complex, battery-run computers implanted in patients’ upper chests to monitor the heart and send electric pulses or high-voltage shocks to prevent sudden cardiac death and treat abnormal heart beats. The vulnerabilities announced Thursday are limited to implantable defibrillators and do not affect Medtronic pacemakers.
Medtronic, run from offices in Fridley, says the risk of physical harm to defibrillator patients appears to be low, even though one of the two issues described by Homeland Security was assigned a CVSS base score of 9.3 out of 10. A higher CVSS base sore indicates a more severe vulnerability, but it assumes an attacker already has the knowledge and tools to mount the attack.
Although the vulnerabilities could be prevented by shutting off the devices’ wireless communications, Medtronic is urging doctors and patients to keep the devices’ wireless communications switched on. Remote patient monitoring can alert doctors to developing health or device problems, and has been shown to improve outcomes in heart-device patients.
The vulnerabilities were discovered by two different teams of security researchers and reported to Medtronic, which investigated the issue and then reported it to authorities, Medtronic officials said.
Medtronic is now actively monitoring its network for signs of that someone was trying to exploit the vulnerabilities. Medtronic officials say affected defibrillators contain a feature that puts the device into a safe mode and shuts down wireless communications upon receiving unusual commands.
Dr. Robert Kowal, chief medical officer for Medtronic’s cardiac rhythm and heart failure products, said in an interview that a malicious hacker would have to be within 20 feet or so of the patient, would need detailed knowledge of the devices’ inner workings like when they’re open to receiving transmissions, and have possession of specialized technology to pull off the hack.
“No. 1, this would be very hard to exploit to create harm,” Kowal said. “No. 2, we know of no evidence that anyone’s ever done this. And 3, we are working closely with FDA as this whole cyber issue evolves to make sure we are not only handling this problem but we’re working on future devices to optimize security vs. functionality.”
The FDA is not expected to issue a recall. Rather, the vulnerabilities will likely be addressed through a future software patch, as happened last year with a widespread vulnerability in implantable defibrillators made by St. Jude Medical, which was Minnesota-based until it was acquired by Chicago’s Abbott Laboratories in 2017.
Security researcher Ben Ransford, CEO of medical-device security firm Virta Labs, said he agreed with the assessments of Medtronic and federal officials that the vulnerabilities in the Medtronic defibrillators were not serious enough that patients should consider having replacement surgery.
“If I had one of these devices, I would not be concerned that this meant an attack is coming, or anything like that,” said Ransford, who was not involved in detecting or investigating the vulnerabilities.
WHAT TO KNOW
- Defibrillators do not need to be replaced. Medtronic says a software update is coming, there are no plans for a recall.
- Turning off the devices’ wireless communication would prevent the vulnerabilities, but would also turn off beneficial features.
- Patients should only use bedside monitors provided by their doctor/the company.
- Patients should maintain physical control over their devices, report concerns.