Minnesota medical device giant Medtronic (NYSE:MDT) over the weekend issued a new manifesto on cybersecurity, promising to keep a close eye on its devices and take action on any new vulnerabilities it discovers.
The company also soothed some fears about medical device hacking, noting that there have been no incidents reported to date and that real-world device hacking would take some high-level technical savvy and unusual circumstances.
"Medtronic is actively engaged with security research firms and regularly conducts and uses independent assessments to improve the security of our systems," according to a new statement. "We continuously monitor the security of our devices and if new vulnerabilities are revealed, Medtronic will assess whether additional security measures can be implemented without compromising the therapy that the device is designed to deliver to patients."
The company has in the past made public statements about its cybersecurity focus, but the new proclamation appears to come without provocation. The medical device cybersecurity front has been relatively quiet since the summer’s hacking conferences and the sudden death of high-profile researcher Barnaby Jack.
Over the weekend former vice president Dick Cheney unveiled in an in-depth interview with 60 Minutes that his doctors had switched off the wireless communication capabilities in his implanted defibrillator out of fear that Cheney’s high-profile persona may draw the attention of malicious hackers. Medtronic’s latest statement didn’t directly reference the interview and neither Cheney nor his doctors revealed the manufacturer of the former VP’s implant.
Medtronic did, however, explain that certain features of its implantable cardiac devices make cybersecurity attacks unlikely to succeed. Many of the devices only communicate at close range, Medtronic said, and others are only receptive to communicate during narrow treatment windows. Despite what the company labeled as a low risk, Medtronic promised to build security into its devices.
"Medtronic has addressed device security in the design development process by implementing measures to safeguard patient safety," the company said. "If new vulnerabilities are revealed, Medtronic will assess whether additional security measures can be implemented without compromising the therapy which the device is designed to deliver for patients."
Researchers have proved in lab experiments that implanted, active cardiac devices are vulnerable to cyber-attack, as are other wireless-enabled medical devices such as insulin pumps and hospital management systems. A Medtronic implantable defibrillator was the subject of the 1st published medical device hack (conducted in 2008) and white hat hacker and researcher Jay Radcliffe made headlines when he hacked his on insulin pump live on stage during a conference in 2011.
Although the FDA has taken a greater interest in medtech cybersecurity, even so far as releasing new guidelines and building a "cybersecurity laboratory," no real-world instances of malicious medical device hacking have yet been reported. Security researchers have warned, however, that the lack of reports are likely due to a lack of proper monitoring and reporting mechanisms.