john torrison president
   
  • Club Home
  • Club Members
  • Listen with Bill
    • Bill's History
  • Turntable
    • TT History
  • The FlipSide
  • Picturesque!
  • Skips Corner
  • Gulliver's Travels
  • The Club Pub
    • Sucks News
  • Harv's Corner

The Club PUBlication  03/25/2018

2/25/2019

0 Comments

 
Picture
Picture

750,000 Medtronic defibrillators vulnerable to hacking

Picture
The Medtronic CareLink 2090 Programmer is a portable computer system used to program and manage cardiac devices in clinic and during implant. The device allows a doctor to set the exact parameters for when the defibrillator should send pulses or high-voltage shocks to the heart. It was among more than a dozen devices named in a March 2019 cybersecurity advisory.
The Homeland Security Department, which oversees security in critical U.S. infrastructure including medical devices, issued an alert. 
By Joe Carlson Star Tribune
 
MARCH 21, 2019 — 9:38PM

​As many as 750,000 heart devices made by Medtronic PLC contain a serious cybersecurity vulnerability that could let an attacker with sophisticated insider knowledge harm a patient by altering programming on an implanted defibrillator, company and federal officials said Thursday.

The Homeland Security Department, which oversees security in critical U.S. infrastructure including medical devices, issued an alert Thursday describing two types of computer-hacking vulnerabilities in 16 different models of Medtronic implantable defibrillators sold around the world, including some still on the market today. The vulnerability also affects bedside monitors that read data from the devices in patients’ homes and in-office programming computers used by doctors.

Medtronic recommends that patients use only bedside monitors obtained from a doctor or from Medtronic directly, to keep them plugged in so they can receive software updates, and that patients maintain “good physical control” over the monitor.

Implantable defibrillators are complex, battery-run computers implanted in patients’ upper chests to monitor the heart and send electric pulses or high-voltage shocks to prevent sudden cardiac death and treat abnormal heart beats. The vulnerabilities announced Thursday do not affect Medtronic pacemakers.

Medtronic, run from offices in Fridley, says the risk of physical harm to defibrillator patients appears to be low, even though one of the two issues described by Homeland Security was assigned a CVSS base score of 9.3 out of 10. A higher CVSS base sore indicates a more severe vulnerability, but it assumes an attacker already has the knowledge and tools to mount the attack.
​
Although the vulnerabilities could be prevented by shutting off the devices’ wireless communications, Medtronic is urging doctors and patients to keep the devices’ wireless communications switched on. Remote patient monitoring can alert doctors to developing health or device problems and has been shown to improve outcomes in heart-device patients.
Picture
GLEN STUBBE, STAR TRIBUNE Doctors placed wires for a Medtronic defibrillator in a patient in this file photo from June 2005, watching the placement
The vulnerabilities were discovered by two different teams of security researchers and reported to Medtronic, which reported it to authorities, Medtronic officials said.
​
Medtronic is now actively monitoring its network for signs that someone was trying to exploit the vulnerabilities. Medtronic officials say affected defibrillators contain a feature that shuts down wireless communications upon receiving unusual commands.



Dr. Robert Kowal, chief medical officer for Medtronic’s cardiac rhythm and heart failure products, said in an ​interview that a hacker would have to be within 20 feet or so of the patient, would need detailed knowledge of the device’s inner workings, and have possession of specialized technology to pull off the hack.

“No. 1, this would be very hard to exploit to create harm,” Kowal said. “No. 2, we know of no evidence that anyone’s ever done this. And 3, we are working closely with FDA as this whole cyber issue evolves to make sure we are not only handling this problem but we’re working on future devices to optimize security versus functionality.”

The FDA is not expected to issue a recall. Rather, the vulnerabilities will likely be addressed through a future software patch, as happened last year with a widespread vulnerability in implantable defibrillators made by St. Jude Medical, which was acquired by Chicago’s Abbott Laboratories in 2017.

Ben Ransford, CEO of medical-device security firm Virta Labs, said he agreed with the assessments of Medtronic and federal officials that the vulnerabilities in the Medtronic defibrillators were not serious enough to warrant replacement.

“If I had one of these devices, I would not be concerned that this meant an attack is coming, or anything like that,” said Ransford, who was not involved in detecting or investigating the vulnerabilities.  A known weakness

But Ransford did say it was surprising that issues like the ones in Thursday’s advisory continue to crop up in Medtronic defibrillators, since this variety of vulnerability has been known since 2008.

A decade ago Ransford was part of a team of researchers that tested a bacon-wrapped Medtronic Maximo defibrillator and came to the surprising conclusion that it could be hacked.

In the groundbreaking paper, the researchers reported that they could cause their compromised device to issue shocks on command, shut down its lifesaving features and change functionality so the battery would wear out.

“It looks like a manufacturer still has some work to do,” Ransford said.

Ransford said the effects of the attack appeared to be essentially the same, regardless of the specific route used to attack the device. Medtronic officials said the vulnerabilities described in the 2008 paper involved a different communications protocol.

The Homeland Security advisory describes two specific vulnerabilities in the Medtronic defibrillators.

The more serious of the two is a vulnerability that could allow improper access to data sent between a defibrillator and an external device like an at-home monitor. The system doesn’t use formal authentication or authorization protections, which means an attacker with short-range access to the device could inject or modify data and change device settings, the advisory says.

A second vulnerability allows an attacker to read sensitive data streaming out of the device, which could include the patient’s name and past health data stored on their device. The system does not use data encryption, the advisory says. (Deploying encryption in medical devices is tricky because is increases computational complexity and therefore uses the battery faster.)
​

What to Know

• Defibrillators do not need to be replaced. Medtronic says a software update is coming.

• Turning off the devices’ wireless communication would prevent vulnerabilities but also beneficial features.

• Patients should use only bedside monitors provided by their doctor/the company.

• Patients should maintain physical control over their monitors, report concerns.

​The common connection between all of the vulnerabilities and affected devices is Medtronic’s proprietary Connexus “telemetry protocol” or communication system.

The FDA first approved a device with the Connexus protocol in 2006. At the time, the system was hailed as a breakthrough that would automatically be transmitted from an implanted device to an at-home monitor to the doctor’s office via the internet.
​
However, Kowal noted that the vulnerabilities in Thursday’s alert must be exploited in close physical proximity to the patient.

​“Nothing about this issue is related to access via the internet,” he said. Thursday’s advisory affects two types of defibrillators: standard implantable cardioverter defibrillators (ICDs) as well as more complex cardiac resynchronization therapy defibrillators (CRT-Ds) that can deliver current to both sides of the heart. Some of the models are approved to be compatible with magnetic-resonance imaging, or MRI.



Joe Carlson writes about medical technology in Minnesota for the Star Tribune.
​[email protected]
 612-673-4779 _JoeCarlson

0 Comments



Leave a Reply.

    Archives

    July 2025
    June 2025
    May 2025
    April 2025
    March 2025
    February 2025
    January 2025
    December 2024
    November 2024
    October 2024
    September 2024
    August 2024
    July 2024
    June 2024
    April 2024
    March 2024
    February 2024
    January 2024
    December 2023
    November 2023
    October 2023
    September 2023
    August 2023
    July 2023
    June 2023
    May 2023
    April 2023
    March 2023
    February 2023
    January 2023
    December 2022
    November 2022
    October 2022
    September 2022
    August 2022
    July 2022
    June 2022
    May 2022
    April 2022
    March 2022
    February 2022
    January 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018

    RSS Feed