DHS warns some Medtronic implantable defibrillators vulnerable to hacking
April 03, 2019
by Thomas Dworetzky, Contributing Reporter
The Department of Homeland Security has issued an alert over hacking vulnerabilities in 16 Medtronic implantable defibrillator models – a total of as many as 750,000 heart devices.
“The vulnerabilities apply to the proprietary Medtronic Conexus radio frequency wireless telemetry protocol, associated with some Medtronic ICDs (implantable cardioverter defibrillators) and CRT-Ds (cardiac resynchronization therapy defibrillators),” Medtronic said in its own alert about the issue.
According to DHS, the exploit could let an attacker “interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data.”
To hack the devices, a fairly low level of expertise is needed, just an “RF device capable of transmitting or receiving Conexus telemetry communication, such as a monitor, programmer, or software-defined radio (SDR), and short-range access to the devices when RF is active.”
Once the devices are exploited a hacker can read or write any location in their memory.
A second vulnerability, of less potential damage, would let a hacker read information stored in the device, such as a patient’s name and health data.
“To date, no cyberattack, privacy breach, or patient harm has been observed or associated with these vulnerabilities.
Conexus telemetry is not used in Medtronic pacemakers (including those with Bluetooth wireless functionality),” noted the company, adding that, “CareLink Express monitors and the CareLink Encore programmers (Model 29901) used by some hospitals and clinics do not use Conexus telemetry.”
At present, the company recommended that “patients use only bedside monitors obtained from a doctor or from Medtronic directly, to keep them plugged in so they can receive software updates, and that patients maintain 'good physical control' over the monitor,” according to the Star Tribune.
While it is possible to disable the wireless on the devices, the company urged patients and healthcare providers to continue to use it, noting that, “the benefits of remote monitoring outweigh the practical risk that these vulnerabilities could be exploited.” The company also advised that it is working on “updates to mitigate these vulnerabilities.”
Dr. Robert Kowal, chief medical officer for Medtronic’s cardiac rhythm and heart failure products, told the Star Tribune that to exploit the device a hacker would have to know its inner workings – and be about 20 feet or closer.
“Number one, this would be very hard to exploit to create harm,” Kowal told the paper. “Number two, we know of no evidence that anyone’s ever done this. And three, we are working closely with FDA as this whole cyber issue evolves to make sure we are not only handling this problem but we’re working on future devices to optimize security versus functionality.”
No recall is anticipated, as a software patch should be able to fix the issues.
Ben Ransford, CEO of medical device security firm Virta Labs, said he agreed with the assessments of Medtronic and federal officials that the vulnerabilities in the Medtronic defibrillators were not serious enough to warrant replacement.
“If I had one of these devices, I would not be concerned that this meant an attack is coming, or anything like that,” Ransford told the paper. Though not involved in the recent vulnerability discovery, he noted that variations of this issue with Medtronic defibrillators have been known since 2008.
“It looks like a manufacturer still has some work to do,” he told the paper. He also stressed that, “nothing about this issue is related to access via the internet.”
The FDA advised in its alert over this issue that healthcare providers:
Vulnerability to hacking is an ongoing and growing problem all through the healthcare space.
In mid-2018, DHS issued vulnerability advisories for the Philips Brilliance CT system, and the Silex Technology SX-500/SD-320AN and GE Healthcare MobileLink.
And in April 2018, DHS issued cyber warnings about Philips iSite and IntelliSpace PACS medical imaging archiving communications systems and the Alice 6 polysomnography system.
The Medtronic devices impacted, according to the company's alert include:
Implantable Devices
Amplia MRITM CRT-D, all models
Claria MRITM CRT-D, all models
Compia MRITM CRT-D, all models
ConcertoTM CRT-D, all models
ConcertoTM II CRT-D, all models
ConsultaTM CRT-D, all models
Evera MRITM ICD, all models
EveraTM ICD, all models
MaximoTM II CRT-D and ICD, all models
Mirro MRITM ICD, all models
Nayamed ND ICD, all models
Primo MRITM ICD, all models
ProtectaTM CRT-D and ICD, all models
SecuraTM ICD, all models
Programmers and Monitors
CareLinkTM 2090 Programmer
CareLinkTM Monitor, Model 2490C
MyCareLink Monitor, models 24950 and 24952
“The vulnerabilities apply to the proprietary Medtronic Conexus radio frequency wireless telemetry protocol, associated with some Medtronic ICDs (implantable cardioverter defibrillators) and CRT-Ds (cardiac resynchronization therapy defibrillators),” Medtronic said in its own alert about the issue.
According to DHS, the exploit could let an attacker “interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data.”
To hack the devices, a fairly low level of expertise is needed, just an “RF device capable of transmitting or receiving Conexus telemetry communication, such as a monitor, programmer, or software-defined radio (SDR), and short-range access to the devices when RF is active.”
Once the devices are exploited a hacker can read or write any location in their memory.
A second vulnerability, of less potential damage, would let a hacker read information stored in the device, such as a patient’s name and health data.
“To date, no cyberattack, privacy breach, or patient harm has been observed or associated with these vulnerabilities.
Conexus telemetry is not used in Medtronic pacemakers (including those with Bluetooth wireless functionality),” noted the company, adding that, “CareLink Express monitors and the CareLink Encore programmers (Model 29901) used by some hospitals and clinics do not use Conexus telemetry.”
At present, the company recommended that “patients use only bedside monitors obtained from a doctor or from Medtronic directly, to keep them plugged in so they can receive software updates, and that patients maintain 'good physical control' over the monitor,” according to the Star Tribune.
While it is possible to disable the wireless on the devices, the company urged patients and healthcare providers to continue to use it, noting that, “the benefits of remote monitoring outweigh the practical risk that these vulnerabilities could be exploited.” The company also advised that it is working on “updates to mitigate these vulnerabilities.”
Dr. Robert Kowal, chief medical officer for Medtronic’s cardiac rhythm and heart failure products, told the Star Tribune that to exploit the device a hacker would have to know its inner workings – and be about 20 feet or closer.
“Number one, this would be very hard to exploit to create harm,” Kowal told the paper. “Number two, we know of no evidence that anyone’s ever done this. And three, we are working closely with FDA as this whole cyber issue evolves to make sure we are not only handling this problem but we’re working on future devices to optimize security versus functionality.”
No recall is anticipated, as a software patch should be able to fix the issues.
Ben Ransford, CEO of medical device security firm Virta Labs, said he agreed with the assessments of Medtronic and federal officials that the vulnerabilities in the Medtronic defibrillators were not serious enough to warrant replacement.
“If I had one of these devices, I would not be concerned that this meant an attack is coming, or anything like that,” Ransford told the paper. Though not involved in the recent vulnerability discovery, he noted that variations of this issue with Medtronic defibrillators have been known since 2008.
“It looks like a manufacturer still has some work to do,” he told the paper. He also stressed that, “nothing about this issue is related to access via the internet.”
The FDA advised in its alert over this issue that healthcare providers:
- Continue to use the CareLink programmers for programming, testing and evaluation of ICD and CRT-D patients. There is no programmable setting that allows a clinician to turn off the Conexus wireless capabilities in the affected devices.
- Maintain control of CareLink programmers within your facility at all times.
- Use only home monitors, programmers, and implantable devices obtained directly from the manufacturer.
- Remind patients to keep their home monitors plugged in.
Vulnerability to hacking is an ongoing and growing problem all through the healthcare space.
In mid-2018, DHS issued vulnerability advisories for the Philips Brilliance CT system, and the Silex Technology SX-500/SD-320AN and GE Healthcare MobileLink.
And in April 2018, DHS issued cyber warnings about Philips iSite and IntelliSpace PACS medical imaging archiving communications systems and the Alice 6 polysomnography system.
The Medtronic devices impacted, according to the company's alert include:
Implantable Devices
Amplia MRITM CRT-D, all models
Claria MRITM CRT-D, all models
Compia MRITM CRT-D, all models
ConcertoTM CRT-D, all models
ConcertoTM II CRT-D, all models
ConsultaTM CRT-D, all models
Evera MRITM ICD, all models
EveraTM ICD, all models
MaximoTM II CRT-D and ICD, all models
Mirro MRITM ICD, all models
Nayamed ND ICD, all models
Primo MRITM ICD, all models
ProtectaTM CRT-D and ICD, all models
SecuraTM ICD, all models
Programmers and Monitors
CareLinkTM 2090 Programmer
CareLinkTM Monitor, Model 2490C
MyCareLink Monitor, models 24950 and 24952