Hackers could take over some implanted defibrillators, FDA says

Breaking News Emails

Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.

By Alex Johnson

The world’s largest medical device company has acknowledged that many of its implanted cardiac defibrillators use an unencrypted wireless protocol that could allow an attacker to change the settings of the lifesaving devices.

The vulnerability affects more than 20 defribillator models, monitors and programmer units made by Medtronic Inc. of Fridley, Minnesota. The devices include implantable cardioverter defibrillators, or ICDs, which can correct dangerously fast or irregular heartbeat, and cardiac resynchronization therapy defibrillators, or CRT-Ds, which essentially are pacemakers that deliver small electrical charges to help keep the heart’s ventricles pumping in sync.

In a bulletin issued late last week, the Cybersecurity and Infrastructure Security Agency, part of the U.S. Department of Homeland Security, assigned the flaw a vulnerability score of 9.3 — near the top of its 10-point scale. It said the flaw could allow a bad actor of “low skill level” to read and write any memory location on the implanted devices.

Medtronic acknowledged in a statement that the flaw could allow an unauthorized individual to gain access to the equipment’s settings — and possibly change them.

But both Medtronic and the U.S. Food and Drug Administration, or FDA, advised doctors and patients to continue using the devices while a fix is developed. That’s because the defibrillators’ therapeutic value far outweighs the potential risk, they said, adding that no one is known to have successfully exploited the flaw.

The system uses a proprietary wireless protocol called Conexus, which links the defibrillators with home monitors and with doctors and device programmers in remote locations.