por Thomas Dworetzky
, Contributing Reporter | April 03, 2019
The Department of Homeland Security has issued an alert over hacking vulnerabilities in 16 Medtronic implantable defibrillator models – a total of as many as 750,000 heart devices.
“The vulnerabilities apply to the proprietary Medtronic Conexus radio frequency wireless telemetry protocol, associated with some Medtronic ICDs (implantable cardioverter defibrillators) and CRT-Ds (cardiac resynchronization therapy defibrillators),” Medtronic said in its own alert about the issue.
According to DHS, the exploit could let an attacker “interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data.”
Special-Pricing Available on Medical Displays, Patient Monitors, Recorders, Printers, Media, Ultrasound Machines, and Cameras.This includes Top Brands such as SONY, BARCO, NDS, NEC, LG, EDAN, EIZO, ELO, FSN, PANASONIC, MITSUBISHI, OLYMPUS, & WIDE.
To hack the devices, a fairly low level of expertise is needed, just an “RF device capable of transmitting or receiving Conexus telemetry communication, such as a monitor, programmer, or software-defined radio (SDR), and short-range access to the devices when RF is active.”
Once the devices are exploited a hacker can read or write any location in their memory.
A second vulnerability, of less potential damage, would let a hacker read information stored in the device, such as a patient’s name and health data.
“To date, no cyberattack, privacy breach, or patient harm has been observed or associated with these vulnerabilities.
Conexus telemetry is not used in Medtronic pacemakers (including those with Bluetooth wireless functionality),” noted the company, adding that, “CareLink Express monitors and the CareLink Encore programmers (Model 29901) used by some hospitals and clinics do not use Conexus telemetry.”
At present, the company recommended that “patients use only bedside monitors obtained from a doctor or from Medtronic directly, to keep them plugged in so they can receive software updates, and that patients maintain 'good physical control' over the monitor,” according to the Star Tribune
While it is possible to disable the wireless on the devices, the company urged patients and healthcare providers to continue to use it, noting that, “the benefits of remote monitoring outweigh the practical risk that these vulnerabilities could be exploited.” The company also advised that it is working on “updates to mitigate these vulnerabilities.”
Dr. Robert Kowal, chief medical officer for Medtronic’s cardiac rhythm and heart failure products, told the Star Tribune that to exploit the device a hacker would have to know its inner workings – and be about 20 feet or closer.