The Cybersecurity and Infrastructure Security Agency (CISA) announced last week that implanted cardiac defibrillators manufactured by Medtronic are vulnerable to hacking attempts.
An advisory states that it would take a relatively “low skill level” for hackers to gain access to one of the affected products and change its settings, which could cause harm to the consumer it’s implanted in. Malicious parties may also be capable of gathering sensitive information about consumers through the device.
Officials say that the devices are vulnerable to hacking because they do not use adequate authentication or authorization protocols. When the devices’ RF radio function is turned on, hackers can “inject, replay, modify, and/or intercept data within the telemetry communication,” according to the report.
Twenty models affected
Medtronic says that up to 20 of its products are vulnerable due to the inadequate protocols. They include:
MyCareLink Monitor, Versions 24950 and 24952;
CareLink Monitor, Version 2490C;
CareLink 2090 Programmer;
Amplia CRT-D (all models);
Claria CRT-D (all models);
Compia CRT-D (all models);
Concerto CRT-D (all models);
Concerto II CRT-D (all models);
Consulta CRT-D (all models);
Evera ICD (all models);
Maximo II CRT-D and ICD (all models);
Mirro ICD (all models);
Nayamed ND ICD (all models);
Primo ICD (all models);
Protecta ICD and CRT-D (all models);
Secura ICD (all models);
Virtuoso ICD (all models);
Virtuoso II ICD (all models);
Visia AF ICD (all models); and
Viva CRT-D (all models).
Medtronic says it has applied some additional controls to respond to improper access to the above products, and it plans to roll out more updates and solutions in the near future. However, to reduce the risk of being hacked, the company advises consumers to take the following precautions.
Maintain good physical control over home monitors and programmers;
Use only home monitors, programmers, and implantable devices obtained directly from your healthcare provider or a Medtronic representative to ensure integrity of the system;
Do not connect unapproved devices to home monitors and programmers through USB ports or other physical connections;
Only use programmers to connect and interact with implanted devices in physically controlled hospital and clinical environments;
Only use home monitors in private environments such as a home, apartment, or otherwise physically controlled environment; and
Report any concerning behavior regarding these products to your healthcare provider or a Medtronic representative.
Consumers with questions on the above information can contact the National Cybersecurity & Communications Integration Center (NCCIC), which is handling the case. The agency can be emailed here or called toll-free at 1-888-282-0870.