FDA, DHS Alert to Cybersecurity Flaws Affecting Medtronic Cardiac Devices, Programmers, Monitors
Hundreds of thousands of units of Medtronic implantable cardiac devices, programmers and home monitors are vulnerable to cybersecurity incidents, according to two US federal government notices.On Thursday, the US Food and Drug Administration (FDA) issued an FDA safety communication, while the US Department of Homeland Security's (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an advisory to flag cybersecurity vulnerabilities detected in Medtronic’s Conexus telemetry protocol. The wireless technology is used to enable communication between the medical device manufacturer’s implantable cardiac devices, clinic programmers and home monitors.
FDA has issued alerts of cybersecurity vulnerabilities identified in Medtronic’s remote monitoring products in the past. Its latest notice applies to a wider range of products compared to previous alerts, including the February 2018 Class I recall that affected certain models of Medtronic’s cardiac implantable cardioverter defibrillators (ICDs) and cardiac resynchronization therapy defibrillators (CRT-Ds). Two FDA warning letters to Medtronic later revealed the manufacturing problems that led to the ICD and CRT-D recalls last year.
The agency’s new safety communication expands on most of the products previously identified as either vulnerable to cyber incidents or affected by manufacturing defects. It includes all models of the Amplia MRI, Claria MRI, Compia MRI, Concerto, Concerto II, Consulta and Viva CRT-Ds, as well as all models of the Evera MRI, Evera, Mirro MRI, Nayamed ND, Primo MRI, Secura, Virtuoso, Virtuoso II and Visia AF MRI and Visia AF ICDs. It also applies to all CRT-D and ICD models of Medtronic’s Maximo and Protecta.
In addition to the ICD and CRT-D models, FDA alerted to the cyber vulnerabilities affecting two models of the Medtronic MyCareLink Monitor and a model of the CareLink Monitors. The CareLink 2090 Programmer has remained vulnerable to potential cyber incidents at least since FDA’s October 2018 safety notice. The home monitors are used for connecting to implanted cardiac devices and reading the data stored on the devices, whereas the programmers are used during implantation and for follow-ups.
The Conexus telemetry protocol enables communication between the affected devices to transmit data for remote patient monitoring, provide for real-time clinician evaluations and/or allow clinicians to program device settings in implanted cardiac devices. It “has cybersecurity vulnerabilities because it does not use encryption, authentication or authorization,” FDA said. ICS-CERT confirmed these issues, as well.
Both FDA and ICS-CERT reported that an attacker or unauthorized individual could exploit the detected cybersecurity vulnerabilities to access one of the affected products in proximity, impact device functionality and/or intercept sensitive patient data within the telemetry communication. Improper access was assigned a critical (9.3) score and data transmission has a medium (6.5) vulnerability score.
“Medtronic is developing updates to mitigate these vulnerabilities,” the manufacturer said. “We will inform patients and physicians when they become available (subject to regulatory approvals).” FDA and Medtronic believe the benefits of using the affected devices continue to outweigh the risks. FDA identified a set of recommendations for healthcare providers and another for patients and caregivers.
ICS-CERT’s advisory recommended mitigation measures to minimize risk of exploitation. These include restricting system access to authorized personnel and disabling unnecessary accounts, among others.
FDA, ICS-CERT