Posted on 03/31/2019

Any connected device these days is a potential target of hackers—and that now includes defibrillators.

Implantable defibrillators made by Minneapolis, Mn.-based Medtronic could allow an attacker to interfere with and collect sensitive data from the devices, the Department of Homeland Security (DHS) said in a medical advisory.

A defibrillator is used to treat a life-threatening cardiac event by resetting the electrical state of the heart so that it can beat normally. In Medtronic's case, the defibrillator uses an unsecured protocol to communicate with other devices.

The vulnerability only requires “low skill level,” the DHS advisory said.

The issue affects certain ICD (implantable cardioverter defibrillator) and CRT-Ds (implantable cardiac resynchronization therapy/defibrillator device) models using the Conexus telemetry system, Medtronic told Fox News in a statement.

The problem does not affect pacemakers, insertable cardiac monitors or other Medtronic devices, the company said. “To date, no cyber attack, privacy breach, or patient harm has been observed or associated with these issues,” Medtronic added.

A key vulnerability is that the Conexus telemetry protocol (an automated communications process to collect data) used by the devices does not implement authentication or authorization, according to the DHS.

“An attacker with adjacent short-range access to an affected product, in situations where the product’s radio is turned on, can inject, replay, modify, and/or intercept data within the telemetry communication,” the DHS advisory said.

The DHS advisory listed about 20 products and versions of Medtronic devices affected...

Defensive measures, to minimize the risk, that users can take include:

  • Maintain physical control over home monitors and programmers
  • Use only home monitors, programmers, and implantable devices obtained directly from your healthcare provider or a Medtronic representative to ensure integrity of the system
  • Do not connect unapproved devices to home monitors and programmers through USB ports or other physical connections.


SOURCE: Fox News

See DHS medical advisory here.