Gross McGinley LLP

gross-headerimg-1
Blog Disclaimer

Blog Disclaimer

This Blog is intended for educational and informational purposes and intended to only provide you with a general understanding of the law, not to provide any legal advice, including on the subject of the Blog. Laws that may pertain to this Blog will vary by jurisdiction, and the information on this blog may not apply to you. The content within this Blog is not intended, and should not be construed, in any way to be legal advice and thus you should not rely on any information provided in the Blog as legal advice. You should consult with appropriate legal counsel concerning any issues for which legal advice may be needed. Your review or use of the Blog and the content therein is not intended to create, and does not constitute, an attorney-client relationship. Please contact us if you have any questions about a Blog or would like more information, but, by contacting us, no attorney-client relationship is formed between you and Gross McGinley, LLP, including the Blog author. Do not send any confidential information to Gross McGinley, LLP or the authors of the Blog without first speaking to one of our lawyers and receiving our permission to provide confidential information. Unsolicited confidential information sent to us may not be subject to an attorney-client privilege and may not be treated as confidential. This Blog is not published for advertising or solicitation purposes. Gross McGinley, LLP disclaims all liability to all persons for any claim, loss, liability or any damages that may arise in connection with the Blog and any content or information contained in the Blog. Even though we strive to create our Blog content based on our current understanding of the law, we cannot and do not guarantee that the content and information in the Blog is current, accurate, or complete. Gross McGinley, LLP owns the copyright in the Blog, which is protected by federal and state laws, including copyright laws. The Blog cannot be altered or modified in any way. A copy of the Blog may be used and printed only for personal, educational, informational and noncommercial purposes. The Blog cannot be used for any other purpose without the express permission of Gross McGinley, LLP.

Medical Device Vulnerable to Hackers

Written by: on June 05, 2019 | Category: Blog | Tags: ,

The world’s largest medical device manufacturer, Medtronic, Inc. – based in Minnesota –  recently announced that many of its implanted cardiac defibrillators use an unencrypted wireless program that could allow computer hackers to change the settings. The defibrillators at issue are used to correct life-threatening arrhythmias.

The Cybersecurity and Infrastructure Security Agency, a division of the U.S. Department of Homeland Security, issued a  Medical Advisory bulletin on March 21, 2019, advising that Medtronic devices utilizing the Conexus telemetry protocol in cardiac defibrillators “may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data.”  Conexus is a wireless protocol which links the defibrillators with home monitors and with physicians and device programmers in remote locations.  The flaw identified in the communication protocol was given a vulnerability score of 9.3, close to the top of the 10-point scale. The bulletin states that an unauthorized individual with a “low skill level” could gain access to the equipment’s setting and possibly change them. Approximately 750,000 heart devices are affected, according to Medtronic.

To date, there are no reported cases of unauthorized hackers changing the settings on implanted cardiac defibrillators. The Agency stated that while a successful attack would not be difficult to pull of technically, the likelihood of an attack succeeding was low because the devices use radio frequency transmissions, and therefore can transmit only about 20 feet.  Accordingly, a would-be hacker would need to be in the same room as the targeted equipment.

In response to the Homeland Security bulletin, Medtronic said it planned to develop a software program to fix to its Conexus protocol.  In the meantime, the FDA advised that patients should keep their equipment plugged in at all times so that it can receive updates. The FDA does not intend to issue a recall at this time.


Attorney Jennifer Weed is a member of the firm’s Medical Malpractice Defense Group, counseling hospitals and medical professionals in medical malpractice litigation and risk management matters.

Next Previous
View All Attorneys
View All Practice Areas
View Blog