Medtronic criticized for lax response to hacking vulnerability

Medtronic is acknowledging that it took too long to analyze a cybersecurity problem that hackers say could allow a malicious attacker to compromise the system used to update the software on defibrillators implanted in patients' chests.

The Minnesota-run medical device maker said the vulnerabilities in its CareLink 2090 programmers for implantable defibrillators worldwide don't create a safety risk for patients, but the company has stepped up internal integrity checks on its network and amplified its advice to keep the devices in a secure environment without access to the internet.

The Homeland Security Department published a brief security advisory about the issue last week. Billy Rios, the founder of the firm WhiteScope LLC that discovered the flaws, says it took Medtronic over a year to handle flaws that should have taken weeks to address.

The WhiteScope report says cybersecurity vulnerabilities in systems like those in Medtronic's CareLink 2090 defibrillator programmer could allow a malicious hacker to remotely tamper with the programmer or the implanted device.

Rios says he was so dismayed by Medtronic's laggard pace in addressing the findings of his January 2017 report that he's likely to bring future vulnerability reports directly to regulators like the Food and Drug Administration rather than alerting the company first, as is common practice in the industry.

"This was probably the most frustrating disclosure of a cybersecurity vulnerability of any medical device I've ever encountered," Rios said. "They have a responsibility to figure this stuff out and not try to essentially slow-play researchers to try to make them go away. That's why I'm so frustrated here. We've worked with all the major manufacturers in the pacemaker ecosystem. … None of them have treated us this way."

Two independent security researchers who reviewed the WhiteScope report confirmed that it appeared to use sound methodology to reach its conclusions. The researchers said the root of the vulnerability is that the CareLink 2090 programmers appear to use commercially available software, including an embedded version of the Microsoft XP operating system that hasn't been supported by Microsoft since 2016.

The report says WhiteScope researchers were able to use known vulnerabilities in the underlying software to exploit weaknesses in a used CareLink 2090 unit purchased online. The WhiteScope hackers got the system to cough up several network and device passwords, which together could be used to compromise Medtronic's network for pushing software updates to devices, the report says.

Medtronic issued a statement on Monday acknowledging Rios' criticism that it look "longer than all of us expected" to confirm the findings and issue a response. Medtronic defended itself by saying that employees determined "early in the process" that the vulnerability didn't affect patient safety.

"It took significant time and resources to thoroughly assess the matter and determine what risks, if any, existed," Medtronic spokeswoman Erika Winkels said via e-mail. Medtronic "will implement some new procedures internally to help streamline and improve our efficiency and share what we learn."

The statement added that the company intends to "be quicker to coordinate between ICS-CERT, FDA and the researcher, and more efficient with any public disclosure."

ICS-CERT is the Homeland Security Department's Industrial Control Systems Cyber Emergency Response Team, which monitors cyber vulnerabilities in critical U.S. infrastructure, including medical technology; FDA is the U.S. Food and Drug Administration, which strongly encourages device companies to consider a product's total life cycle, including future security needs, when designing new medical devices.

While Rios and Medtronic agree that vulnerabilities were present in the CareLink 2090, they disagree on whether the issue could affect patients directly.

The device at the center of the issue is a programmer that is used in the hospital or doctor's office to communicate with an implanted heart defibrillator to record diagnostics and program therapy settings.

Fourteen months ago, WhiteScope researchers provided Medtronic with a 22-page report purporting to document cybersecurity flaws that would allow a malicious hacker to change the therapy provided by the machine, according to a copy of the report.

Although the software problems in the CareLink device offered keys to hack the Medtronic network, the hackers stopped short of doing so. Rather, they used the vulnerabilities to hack a replica of the Medtronic network, then told Medtronic what they found.

Rios said Medtronic took more than a year to address the issue, but standard industry protocol usually provides 45 days to mitigate a problem before the issue is publicized.

In the Homeland Security alert published last week, Medtronic recommended doctors maintain "good physical control" over their CareLink devices, only connect to "secure" networks, and update system software when Medtronic updates become available. Separately, Medtronic developed "server-side" security changes and new integrity updates to monitor for system hacking, but no new software update is forthcoming for the issues outlined in Rios' report.

Other experts in the med-tech cybersecurity field said there are sound reasons why it can be difficult to address problems like those pointed out by WhiteScope.

Todd Carpenter, chief engineer at Minneapolis cybersecurity firm Adventium Labs, said it can be risky for medical technology makers to rush fixes onto the market, especially when there's no allegation of a patient being harmed.

"To a company the size of Medtronic — they are holding the safety of tens of thousands of people in their hands. You don't make arbitrary changes, even when they are well-intentioned," Carpenter said. "If you mess something up, you will cause harm."

Joe Carlson • 612-673-4779