March 22, 2019 at
DHS issues alert that up to 750 000 Medtronic defibrillator, among other devices, have a serious security flaw that an attacker can use to cause harm.
The Department of Homeland Security Nationa Cyber Security Divison (NCSD), which is responsible for monitoring critical United States infrastructure, has issued an alert stating that as many as 750 000 defibrillators are at risk from short-range wireless attack. This covers 16 different models of implantable defibrillators, in addition to bedside monitors used in patients’ homes and doctors’ programming computers. The security vulnerability does not, however, affect anyone with a pacemaker.
How dangerous is the security flaw?
The NCSD has found two flaws, with one being given a CVSS classification of 9.3 out of ten. This means that they consider it a very serious flaw. However, an attacker must already have the knowledge and the tools to mount an attack. The attacker would need to be within 20 feet of the patient, have detailed knowledge of the inner workings of the device and still have extremely specialized equipment to be able to do anything nefarious.
Dr. Robert Kowal, who is the Chief Medical Officer for Medtronic’s cardiac rhythm and heart failure products, had the following to say:
“No. 1, this would be very hard to exploit to create harm, No. 2, we know of no evidence that anyone’s ever done this. And 3, we are working closely with FDA as this whole cyber issue evolves to make sure we are not only handling this problem but we’re working on future devices to optimize security versus functionality.”
He added that Medtronic defibrillators have a built-in measure in case of an attack. They shut down automatically if they receive any unusual commands. He further added that nothing about this issue is related to the internet, rather it is strictly a local problem.
Medtronic has issued a statement that the benefits of remote monitoring outweigh any risk posed these security flaws. While the most secure option is to turn off wireless communications, Medtronic believes that the safest option is to keep it on. Doctors can be alerted to any developing conditions or mechanical device problems earlier, and it has been shown to [improve outcomes1] in patients using the heart device wirelessly.
It is a known weakness
Independent researchers from Virtalabs, who specialize in medical-device security, have confirmed that while the flaw is serious, the devices do not need replacing. Ben Ransford, the CEO of Virtalabs, said that he would not be worried if he had one the devices himself.
Ransford was surprised, however, that such issues keep cropping up in Medtronics devices. He was part of a research team that proved that the Medtronic Maximo could be hacked. This was in 2008, and seeing similar vulnerabilities is peculiar.
He said that while some of the specific routes to hack the device were slightly different, the effects were virtually identical. One flaw allows attackers to change settings on the device itself. The other flaw allows an attacker to read data from the device, gaining access to the patient’s cardiac history.