Medtronic has urged customers of its cardiac device data workflow systems to follow mitigation steps to reduce the risk of data being leaked.
In a security update, the medtech giant said it had identified an optional messaging feature that, if enabled, an authorised user could exploit the flaw, leading to the potential deletion, stealing or modification of cardiac device data. The company outlined a fix for the issue on current software and said it has issued a further software update that removes the messaging feature.
Medtronic’s Paceart Optima offers a platform to compile and store data from cardiac devices used by patients. It offers data management from devices made by other manufacturers including Boston Scientific, Abbott and Biotronik.
In the same security update, Medtronic said it has “not observed any cyberattacks, unauthorised access to or loss of patient data, or harm to patients related to this issue.”
The US Cyber Security and Infrastructure Agency (CISA) released a medical advisory following the news. NHS Digital also issued a cyber alert, instructing organisations to review the security update and take necessary precautions.
Cybersecurity is a hot topic in the medical device industry after the US Food and Drug Administration (FDA) clarified new requirements for cybersecurity measures in submitted medical devices. By October this year, companies submitting a product to the agency will be expected to demonstrate cyber-secure measures. The move comes after new laws passed by the US government to improve cybersecurity. Its importance in healthcare is important with the ever-increasing volume of stored patient data and the growing popularity of remote monitoring devices.
According to GlobalData, between 2020 and 2025, cybersecurity in medical devices is forecast to grow at a CAGR of 7.3% from $869m to $1.23bn.
A high-profile cybersecurity case came in 2017, when the US government investigated St Jude amidst its $25bn deal to be acquired by Abbott. St Jude was accused of having significant cybersecurity shortcomings in its implantable pacemakers, with nearly half a million devices needing to be recalled.
Reacting to the new FDA requirements issued in March, Dr Brett Walkenhorst, CTO at Bastille – a wireless threat intelligence company, said in a statement sent to Medical Device Network: “The FDA’s requirement to secure medical devices against potential cyberattacks is an important step forward for the future of healthcare. As demonstrated by the vulnerabilities discovered in the St. Jude Pacemakers, wireless exploitation of medical devices can be life-threatening.”
With remote monitoring and wireless transmission of data storage becoming more prevalent, the move by the FDA aims to place more responsibility on manufactures to protect patient data.
“As the healthcare industry accelerates its adoption of telemedicine and wireless technologies, the threat of radio frequency attacks is at an all-time high, not just for devices but for facilities as well,” Walkenhorst added.
“Many administrative and process control systems use radio rather than hardwired connections, making it essential that every facility be aware of what’s happening in its airspace as well as on its wired networks.”