The U.S. Department Homeland Security has issued an alert warning of two types of computer-hacking vulnerabilities in 16 different models of implantable defibrillators made by Medtronic PLC (NYSE: MDT). According to reports, two different teams of security researchers discovered the vulnerabilities and reported them to Medtronic, which then reported it to authorities. Homeland security oversees security in critical U.S. infrastructure, which includes medical devices.
The advisory describes two specific vulnerabilities in the Medtronic defibrillators. One is a vulnerability that could allow an attacker with short-range access to an implanted defibrillator to alter its programming by changing the settings or modifying the data. The other vulnerability would allow an attacker to read sensitive data, including past health data, streaming out of the device.
Medtronic said it is working on a fix for both issues, most likely through a future software patch. As many as 750,000 Medtronic heart devices are estimated to be affected. The devices have been sold around the world and some are still on the market today. The vulnerabilities do not affect Medtronic pacemakers.
Medtronic says the risk of physical harm to defibrillator patients appears to be low. In an interview, Dr. Robert Kowal, chief medical officer for Medtronic’s cardiac rhythm and heart failure products, said, “No. 1, this would be very hard to exploit to create harm. No. 2, we know of no evidence that anyone’s ever done this. And 3, we are working closely with FDA as this whole cyber issue evolves to make sure we are not only handling this problem but we’re working on future devices to optimize security versus functionality.”