Security researchers say they’ve found flaws in the Medtronic pacemaker that leaves the life-saving device vulnerable to hackers and puts patients at risk.
Billy Rios and Jonathan Butts say they’ve found vulnerabilities that compromise the pacemaker’s programmer, which can control the electrical impulses that are sent to the heart to regulate a patient’s heartbeat. There are about 33,000 of these programmers in use — called the CareLink 2090.
Rios and Butts demonstrated the security weaknesses earlier this month at the annual Black Hat cyber security conference in Las Vegas, one of the industry’s most prestigious annual meetings.
Rios, who founded a startup focused on embedded device security called WhiteScope, says he presented his research publicly because he is frustrated by what he calls Medtronic’s slow response to addressing and fixing these flaws.
“They are more interested in protecting their brand than their patients,” Rios told CNBC, noting that the technical fix for these vulnerabilities is relatively easy.
For its part, the medical device company says the likelihood of a successful cyber attack is low, and that the company is not aware of any security breaches involving patients with its medical devices.
“All medical devices carry some associated risk, and, like the regulators, we continuously strive to balance the risks against the benefits our devices provide,” Medtronic said in a statement.
Medtronic next reports its financial results on Aug. 21.
Here is the full Medtronic statement:
Medtronic emphasizes the safety of its products. Product safety and quality are top priorities for Medtronic, and we have a strong product security program that leverages internal and external security and medical device experts, rigorous development processes and current practices to enable security and usability. We are, and continue to be, committed to delivering safe and effective devices to address our patients’ therapeutic conditions.
It’s important to note, however, that the likelihood of a breach of a patient’s device is low, and we are not aware of any security breaches involving patients with our medical devices. All medical devices carry some associated risk, and, like the regulators, we continuously strive to balance the risks against the benefits our devices provide.
Additionally, we value collaboration and transparency with industry partners and the regulatory community, and we support FDA guidance on these matters. Medtronic is committed to a robust, coordinated disclosure process and takes seriously all potential cybersecurity vulnerabilities in our products and systems, and we consistently seek to improve these processes, in terms of our technical evaluation, required remediation and speed of disclosure.
We follow formal processes, as required by the FDA and other regulators, for evaluating and mitigating the risks associated with all cybersecurity vulnerabilities.
In the past, WhiteScope, LLC has identified potential vulnerabilities which we have assessed independently and also issued related notifications. If new vulnerabilities are brought to our attention, we will assess them in accordance with our processes as developed pursuant to FDA guidelines
Medtronic provides updates on security vulnerabilities and provides its full statements on device security issues here.