Medtronic PLC's Conexus telemetry system, used to control and monitor the medical device company's implantable cardiac defibrillators, has been found to be at risk of exploitation and consequent interference by attackers within radio range, the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency warned.
The vulnerable products, which include the CareLink Programmer used by doctors to monitor implanted cardiac defibrillators, could potentially be intercepted by even low skill level attackers, the agency said in a March 21 advisory, rating the risk at 9.3 out of 10.
According to the advisory, the telemetry protocol used for the 20 affected products does not implement encryption, authentication or authorization, which means an attacker could listen to transmissions using the radio frequency as well as "inject, replay, modify, and/or intercept data within the telemetry communication."
The notice advised users to report any abnormalities to their healthcare provider or Medtronic, and to use the affected home monitors, the MyCareLink Monitor, only in private environments. The agency also recommended users take defensive measures and said Medtronic has "applied additional controls for monitoring and responding to improper use," with additional mitigation strategies are underway.
Cardiac defibrillators are implanted to monitor and regulate potentially fatal heart rhythm. These defibrillators employ radio consoles to allow doctors and patients to ensure their devices are working properly, as well as support follow-up transmissions and other operational and safety notifications.
According to Medtronic's website, the Dublin-based company's products' "therapeutic benefits ... far outweigh any potential security risks."
A Medtronic spokesperson said the issue does not include Medtronic pacemakers or insertable cardiac monitors.
"Medtronic is conducting security checks to look for unauthorized or unusual activity that could be related to these issues," the spokesperson said in an emailed statement. "To date, no cyberattack, privacy breach, or patient harm has been observed or associated with these issues."
Updates addressing the security issues are planned, with the first scheduled for release later in 2019, according to the spokesperson.
"Medtronic and the FDA recommend that patients and physicians continue to use devices and technology as prescribed and intended, as this provides for the most efficient way to manage patients' devices and heart conditions," Medtronic's statement concluded.
Cyberattacks on medical devices have become of increasing concern to regulators, and the U.S. Food and Drug Administration released initiatives in October 2018 to address rising cyber-risks.