The Homeland Security Department has issued an alert Thursday describing two types of computer-hacking vulnerabilities in 16 different models of Medtronic implantable defibrillators sold around the world, including some still on the market today. The vulnerability also affects bedside monitors that read data from the devices in patients’ homes and in-office programming computers used by doctors. From the report: Medtronic recommends that patients only use bedside monitors obtained from a doctor or from Medtronic directly, and to keep it plugged in so it can receive software updates, and that they maintain “good physical control” over the monitor. Implantable defibrillators are complex, battery-run computers implanted in patients’ upper chests to monitor the heart and send electric pulses or high-voltage shocks to prevent sudden cardiac death and treat abnormal heart beats. The vulnerabilities announced Thursday do not affect Medtronic pacemakers.
The more serious of the two is a vulnerability that could allow improper access to data sent between a defibrillator and an external device like an at-home monitor. The system doesn’t use formal authentication or authorization protections, which means an attacker with short-range access to the device could inject or modify data and change device settings, the advisory says. A second vulnerability allows an attacker to read sensitive data streaming out of the device, which could include the patient’s name and past health data stored on their device. The system does not use data encryption, the advisory says. (Deploying encryption in medical devices is tricky because is increases computational complexity and therefore uses the battery faster.) The FDA isn’t expected to issue a recall as the vulnerabilities are expected to be patched via a future software update.
Read more of this story at Slashdot.