Bad guys can hack your heart.
That’s the core message of a new advisory from the U.S. Department of Homeland Security (DHS).
In late March, the agency warned that computer hackers can easily gain access to implanted cardiac defibrillators made by Medtronic.
“An attacker with adjacent short-range access to an affected product, in situations where the product’s radio is turned on, can inject, replay, modify, and/or intercept data within the telemetry communication,” according to a statement from the DHS.
“This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device,” the advisory continued.
The devices all use Medtronic’s proprietary Conexus system, which the DHS’ National Cybersecurity and Communications Integration Center said is vulnerable to “low skill level” attackers who can interfere with, generate, modify, or intercept Conexus radio frequency (RF) communications.
“The Conexus telemetry protocol… does not implement authentication or authorization,” the most basic types of protection against unauthorized access, according to the advisory. Nor is communication with the device encrypted, meaning that hackers can gather personal medical data as well.
The announcement came as no surprise to cybersecurity experts.
“Cybersecurity across the board in biomedical devices is so poor,” Dennis Chow, chief information security officer at SCIS Security in Houston, told Healthline.
Tyler Hudak, head of incident response at Ohio cybersecurity firm TrustedSec, who formerly held the same title at the Mayo Clinic, agrees.
“This is absolutely indicative of the lack of security for medical devices. Traditionally, there has been a complete lack of security,” Hudak told Healthline.
In a statement, Medtronic said it’s conducting security checks to look for unauthorized or unusual activity affecting its devices.
“To date, no cyberattack, privacy breach, or patient harm has been observed or associated with these issues,” according to a company statement sent to Healthline.
Hudak told Healthline that despite official reassurances, such an attack “is not theoretical.”
“It’s definitely possible,” Hudak said. “Researchers were able to perform these attacks.”
In a nightmare scenario, he says, a hacker could shut off a defibrillator or command it to deliver a shock to the heart.
On the other hand, hackers wouldn’t be able to access the devices from their basement.
“That’s probably within the realm of spy novels,” Hudak says.
They would have to be within a few feet of the wearer and would have to time their attacks to when the devices “wake up” to communicate data, both factors that limit risk.
Dr. Shephal Doshi, a cardiac electrophysiologist and director of cardiac electrophysiology and pacing at Providence Saint John’s Health Center in California, says an attempt to reprogram devices in a way that exposes patients to danger “would be extremely rare and unlikely.”
“The defibrillators need to be… within 20 feet to actually reprogram the device,” he told Healthline. “People cannot reprogram the device while you are sleeping from a remote location.
“There would have to be within close proximity of your device, and your device would have to be in an active state to allow such reprogramming. This would make it impractical for someone to develop a contraption and then stand next to the patient and reprogram the device.”
Medtronic and the Food and Drug Administration recommended that patients and physicians “continue to use devices and technology as prescribed and intended, as this provides for the most efficient way to manage patients’ devices and heart conditions,” according to the company statement.
A software update to improve device security is currently under development and should be available later this year, subject to government approval, according to the company statement.
Medtronic also advised device users to take other steps to defend against attacks, including maintaining physical control over home monitors and programming devices as well as using only devices provided directly by doctors or Medtronic.
They also advised consumers to avoid connecting unapproved devices to monitors or programmers and only use programmers in medical facilities and home monitors in private areas.
Chow urges people with these implanted devices to go to their doctor’s office to have the device firmware updated once it’s available.
“There’s no reason not to take measures to protect yourself,” he said.
“Because the risk of changing the defibrillator involves a substantial risk of infection at the time of surgery, it is not logical to want to change the device based on the fear that someone is going to hack into them,” Doshi said.
“Patients should verify with their physicians if they have any of these models of devices that are potentially at risk [and] verify that they are connected to the remote monitoring system, which may provide them an opportunity to have automatic updates to the software,” he added.
The models of ICDs (implantable-cardioverter defibrillators) and CRT-Ds (implantable cardiac resynchronization therapy/defibrillator devices) vulnerable to hackers include:
- Amplia CRT-D (all models)
- CareLink Monitor, version 2490C
- CareLink 2090 Programmer
- Claria CRT-D (all models)
- Compia CRT-D (all models)
- Concerto CRT-D (all models)
- Concerto II CRT-D (all models)
- Consulta CRT-D (all models)
- Evera ICD (all models)
- Maximo II CRT-D and ICD (all models)
- Mirro ICD (all models)
- MyCareLink Monitor, versions 24950 and 24952
- NayaMed ND ICD (all models)
- Primo ICD (all models)
- Protecta ICD and CRT-D (all models)
- Secura ICD (all models)
- Virtuoso ICD (all models)
- Virtuoso II ICD (all models)
- Visia AF ICD (all models)
- Viva CRT-D (all models)
The advisory doesn’t apply to Medtronic pacemakers, insertable cardiac monitors, or other Medtronic devices.