Medtronic Faces Cybersecurity Risk for Clinical Programmer

The Department of Homeland Security has warned in a report that there are cybersecurity vulnerabilities in Medtronic’s N’Vision clinical programmer.

The Department of Homeland Security (DHS) is warning that there are cybersecurity vulnerabilities in Medtronic’s N’Vision clinical programmer. The Dublin-based company’s Programmer is a small, portable device that offers a single programming platform for Medtronic Neurological implantable therapy offerings. The company pointed out it is not an implantable device.

The N’Vision Clinical Programmer has the potential to store Personal Health Information or Personal Identifying Information. In its report, DHS said the successful exploitation of the vulnerability could “allow an attacker with physical access to an 8870 N’Vision Compact Flash” card to access this personal information.

Medtronic said it has assessed this vulnerability per its internal process.

A spokesperson for the company told MD+DI that, “these findings revealed a low safety risk because physical access to a physician programmer is needed to exploit the vulnerability; this does not pose a risk for changing the function or performance of an implanted device; these devices are not commercially sold, and these devices are intended for only healthcare practitioners.”

Medtronic said any commercial sales to third parties are strictly prohibited, and it has published an advisory about this vulnerability, detailing steps to mitigate any risk of inappropriate data exposure. Network-connected medical devices promise an entirely new level of value for patients and doctors, but they also introduce new cybersecurity vulnerabilities that could affect clinical operations and put patient care at risk.

Various firms have faced cybersecurity vulnerabilities. Abbott Laboratories’ St. Jude Medical ran into issues with its Merlin technology back in 2016. A cybersecurity flaw was identified in the technology that could allow hackers to take control of a person’s defibrillator or pacemaker. In January of 2017, Abbott sent out an update to deal with the  vulnerabilities. 

500 characters remaining
This is an interesting case in that DHS says there is a problem and Medtronic says the risk has been considered and found not substantial. In addition there are no publicly reported instances of the vulnerability being used for foul play.