Hackers can take over the heart devices, DHS warns

(REUTERS/Kacper Pempel)

Each connected device these days is a potential target of hackers — and who now also have defibrillators.

Implantable defibrillators made by Minneapolis, Mn.-on the basis of Medtronic could allow an attacker to disrupt and collect sensitive data from the devices, the Department of Homeland Security (DHS) said in a medical advice.

A defibrillator is used for the treatment of a life threatening cardiac event by resetting the electrical state of the heart so it can beat normally. In Medtronic’s case, the defibrillator makes use of an insecure protocol to communicate with other devices.


The vulnerability only requires “low level”, the DHS advisory said.

The issue affects certain ICD (implantable cardioverter defibrillator) and CRT-Ds implantable cardiac resynchronization therapy/defibrillator device) models, using the Conexus telemetry system of Medtronic, told Fox News in a statement.

The problem does not affect cardiac pacemakers, implantable cardiac monitor, or other Medtronic devices, the company said. “To date, no cyber attack, privacy violation, or injury to the patient has observed or in connection with these problems,” Medtronic added.

An important vulnerability is that the Conexus telemetry protocol (an automated communication process to collect data) used by the devices that do not support authentication or authorization, according to the DHS.

“An attacker followed by a short-distance access to a product concerned, in situations where the product is on the radio is on, you can inject, replay, modify, and/or the interception of data within the telemetry communication,” the DHS advisory said.

The DHS advice included about 20 products and versions of Medtronic devices affected.

Connected and vulnerable

Medical equipment is more and more connected with the internet, hospital networks and to other devices, the Food and Drug Administration (FDA) said in a separate general advice.

“These same features also increase the risk of potential cybersecurity threats,” the FDA said.

“We have a mass of medical devices that do not have security built in,” Nadir Izrael, CTO and Co-Founder, Armis, an IoT (Internet of Things) security company, told Fox News.

“I speak with companies in the health care regularly, and I’ve seen the ways that connected devices in the healthcare sector are the target of malicious actors,” Izrael continued. “I’ve seen MRI machines to talk to servers in Russia, a medical crash cart is used to gain access to Facebook, or phishing websites, and even an infusion pump, infected by malware that was still connected to a patient.”


Medtronic said that the development of software updates to enhance the security of wireless communication. The first update is planned for later in 2019, subject to regulatory approvals.

Medtronic and the FDA recommend that patients and doctors continue to use the devices as prescribed and intended, “as this provides for the most efficient way to manage patients, devices and heart disease,” the company said.

Defensive measures to limit the risk that users may take:

  • Maintaining physical control over the home guards and programmers
  • Only use home monitors, programmers and implantable devices that directly from your healthcare provider or a Medtronic representative to ensure the integrity of the system
  • Do not connect non-approved devices, home monitors, and programmers through USB ports or other physical connections


Follow us

Don't be shy, get in touch. We love meeting interesting people and making new friends.

Most popular