June 5th, 2019

Medical Device Vulnerable to Hackers

The world’s largest medical device manufacturer, Medtronic, Inc. – based in Minnesota –  recently announced that many of its implanted cardiac defibrillators use an unencrypted wireless program that could allow computer hackers to change the settings. The defibrillators at issue are used to correct life-threatening arrhythmias.

The Cybersecurity and Infrastructure Security Agency, a division of the U.S. Department of Homeland Security, issued a  Medical Advisory bulletin on March 21, 2019, advising that Medtronic devices utilizing the Conexus telemetry protocol in cardiac defibrillators “may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data.”  Conexus is a wireless protocol which links the defibrillators with home monitors and with physicians and device programmers in remote locations.  The flaw identified in the communication protocol was given a vulnerability score of 9.3, close to the top of the 10-point scale. The bulletin states that an unauthorized individual with a “low skill level” could gain access to the equipment’s setting and possibly change them. Approximately 750,000 heart devices are affected, according to Medtronic.

To date, there are no reported cases of unauthorized hackers changing the settings on implanted cardiac defibrillators. The Agency stated that while a successful attack would not be difficult to pull of technically, the likelihood of an attack succeeding was low because the devices use radio frequency transmissions, and therefore can transmit only about 20 feet.  Accordingly, a would-be hacker would need to be in the same room as the targeted equipment.

In response to the Homeland Security bulletin, Medtronic said it planned to develop a software program to fix to its Conexus protocol.  In the meantime, the FDA advised that patients should keep their equipment plugged in at all times so that it can receive updates. The FDA does not intend to issue a recall at this time.

Attorney Jennifer Weed is a member of the firm’s Medical Malpractice Defense Group, counseling hospitals and medical professionals in medical malpractice litigation and risk management matters.