Medtronic Devices Latest to Receive Vulnerability Warning from DHS

The Department of Homeland Security (DHS) has issued a rash of vulnerability warnings for medical devices so far this month. The most recent pertains to Medtronic’s N'Vision Clinician Programmer.

The device is used to program neurostimulator implants—devices implanted near the spine to deliver pulses that can assuage chronic back pain. According to DHS, it can be exploited with “low skill level”: The vulnerability requires access to the device, though. Its removable compact flash card contains unencyrpted protected health information (PHI) that could pose a threat to a patient’s privacy were it to fall into the wrong hands.

Medtronic doesn’t have a fix in place to mitigate the potential flaw, but recommends maintaining strict control of the card and only using “legitimately obtained” cards issued with the company’s official software.

>>READ: To Fight Phishing, Let's Look at Fatigue

Based on the CVSS threat rating system, which assesses a 0-10 score based on severity, the issue was scored a 4.6.

The agency assessed higher scores for other healthcare device vulnerabilities this month. Some of GE Healthcare’s portable electrocardiogram devices might be vulnerable to unauthorized remote access. The devices run on GE’s MobileLink system, which contains Silex technology—both companies were named in the recent warning.

The DHS lists a CVSS of 7.4 and says that the flaw could be exploited by a hacker with low skill. Public exploits are known to be available, and exploitation could allow an unauthorized user to modify device settings and functionality. GE recommends enabling a non-default update function, and is currently validating firmware to fix the problem that should be available May 31^st.

Yet another warning was issued earlier this month, this time for Phillips’ Brilliance CT scanners. The systems’ contained kiosk runs on a modified Windows operating system, and could be susceptible to exploitation that would allow unauthorized access to patient PHI and system configuration. “This could impact system confidentiality, system integrity, or system availability,” according to DHS.

Again, the flaw is listed as requiring a low level of skill to exploit, though the company is not aware of any incidence of that happening to date.

Phillips recommends maintaining strict protocols for who may physically access the system, and also makes some common-sense suggestions about avoiding phishing attacks.

“Philips will be further assessing options for remediation with future product introductions and/or upgrades across the Brilliance CT modality to address these identified security vulnerabilities,” the DHS warning says, assessing a CVSS of 8.4.

Related Coverage:

Examining the Hacking Threat to Heart Implants

Healthcare Cybersecurity Remains "Understaffed and Underfunded"

A Curious, New Hardware Fix for Cybersecurity Vulnerabilities