Some Implantable Cardiac Devices Have Cybersecurity Flaw

Device Use Should Continue–Remote Monitoring Benefits Outweigh Cyberattack Risks

Medtronic has disclosed a potential cybersecurity risk in several of its implantable cardiac devices, including defibrillators and resynchronization therapy hardware.

The security flaw was found in the Conexus radio frequency wireless telemetry protocol, which transmits unencrypted data to program the devices or gather information from the implants.

According to Medtronic, the vulnerabilities could enable unauthorized users to access or change the settings on implantable devices, at-home monitors, or programmers in the clinic. The company stated there have been no reports of a related cyberattack, privacy breach, or harm to patients.

The affected devices include models such as the Amplia, Claria, Compia, Concerto, Consulta, and Viva CRT-D devices; Evera, Maximo II, Mirro, Nayamed ND, Primo, Protecta, Secura, Virtuoso, and Visia implantable defibrillators; and some CareLink monitors and programmers. Medtronic’s pacemakers do not use Conexus telemetry.

Medtronic, and the FDA, recommended that devices continue to be used, saying that the benefits of remote monitoring–which include earlier detection of arrhythmias, fewer hospital visits, and improved survival rates–outweigh the risks of cyberattack. To exploit the vulnerabilities, attackers would need specialized knowledge of medical devices, wireless telemetry, and electrophysiology. In addition, device activation times are limited outside the hospital/clinic, vary by patient, and would be hard to predict by an unauthorized user.

The FDA said that reprogramming or updating the devices is not required at present.

Source: FierceBiotech, March 26, 2019; Medtronic, March 21, 2019