The US Dept. of Homeland Security’s Industrial Control Systems Computer Emergency Response Team this week flagged two Medtronic (NYSE:MDT) devices for cybersecurity vulnerabilities that could allow attackers to obtain sensitive information, according to a HealthITSecurity report.
The Fridley, Minn.-based medtech giant’s MyCareLink patient monitor and MiniMed Paradigm insulin pump and remote controller were specifically identified by the group, according to the report.
ICS-Cert said that the MyCareLink patient monitor insufficiently verifies data authenticity and allows passwords to be stored in a recoverable format, according to HealthITSecurity. Such vulnerabilities could allow someone with physical access to the device to obtain product credentials used to upload data to Medtronic’s network, and would allow for the submission of false, forged data to the network.
Medtronic responded to the warning, saying that the issues “do not allow modification of patient health information or existing data on the MyCareLink network.”
“There are no known reports of data being impacted or targeted by the identified vulnerabilities. Medtronic is increasing the level of authentication required to upload data from the MyCareLink Patient Monitor to the Medtronic CareLink Network. In addition, increased cybersecurity monitoring has been implemented to detect and respond to any potential attempts to upload invalid data,” Medtronic wrote in its release.
ICS-Cert also warned about issues associated with the cleartext transmission of sensitive information and authentication bypass by capture-relay with the MiniMed Paradigm insulin pump, according to HealthITSecurity.
The vulnerabilities could allow attackers to cause unexpected insulin deliveries, according to the report.
Medtronic said that to make such a bogus bolus delivery happen, a number of difficult steps would have to be carried out, and said it is not planning to address the vulnerabilities, according to HealthITSecurity.
Earlier this month, Medtronic said that Health Canada approved its Intellis spinal cord stimulator, touting it as the smallest such device on the market today.