Medtronic Reverts to Manual Updates Amidst Pacemaker Hacking Concerns

The future of healthcare lies in technology, and today it’s all about networked medical devices. Today’s insulin pumps, pacemakers, ventilators, defibrillators, monitors, and more are all equipped with sensors, network capabilities, and Internet connectivity that allow data to be transferred via wireless networks.

These devices can improve patient health and quality of life as they allow uninterrupted monitoring of data, giving doctors real-time information that can help improve care and reduce the risk of complications.

But the technology also opens the door to hackers, however, who could get into the systems and potentially cause the devices to malfunction. Medtronic, the manufacturer of many medical devices, recently shut off its internet-based update system for this reason, after security researchers found that hackers could update the device with malicious software that could negatively affect a patient’s heartbeat.

Medtronic Disables Updating Network to Reduce Risk of Hacking

Medtronic makes the Carelink pacemaker, and for nearly two years, has gone back and forth on their technology in response to hacking concerns. According to Wired, researchers Billy Rios of the security firm Whitescope and Jonathan Butts of QED Secure Solutions found weaknesses in the technology that could be vulnerable to hacking, particularly when it came to updating the software. They noted that attackers could exploit these weaknesses to “control implanted pacemakers remotely, deliver shocks patients don’t need or withhold ones they do, and cause real harm.”

The FDA recently confirmed this concern, noting that they had reviewed information about the potential cybersecurity vulnerabilities associated with Medtronic’s implantable device, and agreed that they could allow an unauthorized user to change the function of the device.

Medtronic was allegedly slow to respond, denying any problems at first, and later tried issuing updates to help increase safety.  The company then decided to intentionally disable access to the network for the download of new or updated software to the implants. When updates are needed, a Medtronic representative will now manually perform those updates via a secured USB connection.

Medtronic noted in a statement that they are working on “additional security updates” to improve the updating process.

Researchers Suggest Improved Measures to Reduce Risk of Tampering

Medtronic isn’t the only manufacturer facing this issue. The FDA recalled about half a million pacemakers made by Abbott and sold under the St. Jude Medical brand in 2017 because of fears that they could be hacked.

Other devices are at risk, too. In a 2018 article published in the Journal of the American College of Cardiology, researchers noted that the potential for hacking implantable electronic devices like pacemakers and defibrillators may be a growing problem for patients and healthcare providers.

“This is a burgeoning problem that our newly electronically connected world faces,” the researchers wrote. They suggested that manufacturers address the issue during product testing both before and after the products go onto the market by using remote monitoring and protective software embedded into the hardware of the devices.