Medtronic defribillators vulnerable to hacking, says FDA

The FDA and US government cyber experts have warned that hundreds of thousands of implantable defibrillators from manufacturer Medtronic are vulnerable to hacking.

Late last week the regulator warned about the issue in a safety communication, while the US Department of Homeland Security also flagged more details about the cybersecurity issues in the company’s wireless protocols.

It’s not the first time the FDA has issued cybersecurity alerts about Medtronic products – in February last year a recall affected some of the company’s implantable defibrillators, although these were caused by separate manufacturing problems.

The agency’s new communication expands on a number of products previously identified in a note about cybersecurity last autumn.

There were further details in a notice from a team of experts in cybersecurity from the Department of Homeland Security (DHS).

According to the DHS attackers could exploit vulnerabilities in the wireless communication system between the monitors that read data from Medtronic’s devices and relay them to doctors.

Attackers could overcome security protocols used by Medtronic products with ‘Conexus’ telemetry, allowing access to transmitted and sensitive data.

With the right radio frequency device, attackers could exploit brief periods when the device’s cyber defences are down to allow for transmission of data such as safety updates.

This could allow hackers to read and write instructions in the device’s memory location.

However in a communication, Medtronic pointed out that as yet there had been no cyberattack, privacy breach, or patient harm caused by the vulnerabilities.

The FDA and Medtronic have advised doctors and patients to continue using the devices until a work-around is developed.

The FDA also noted that although the skill level required to carry out attacks was quite low, they are unlikely.

This is because an attacker would have to be physically close to the device, such as within the same room, in order to make a strong enough connection.

While Medtronic develops a fix the FDA said doctors and patients can protect themselves by ensuring they use only remote monitors from Medtronic.