Medtronic Warns of Defibrillator Hacking Vulnerability

Medtronic PLC self-disclosed last week to the U.S. Food and Drug Administration (FDA) that an unspecified problem in the wireless technology of 19 models of the company’s defibrillators makes them vulnerable to being hacked. The company said it is not aware of any cyberattacks, privacy breaches, or patient harm related to the 750,000 vulnerable devices.

The FDA, which regulates medical devices, had proposed in October 2018 that manufacturers of pacemakers, insulin pumps, defibrillators, and other devices that connect to the internet take steps to reduce cybersecurity risks. Several major manufacturers have criticized the FDA’s draft guidance document, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” as confusing, vague and overreaching. Medtronic was not among the companies that commented on the draft guidance; however, it is a member of the Advanced Medical Technology Association, a trade association for device manufacturers, which challenged the FDA’s authority to classify medical devices by their electronic features.

Medtronic, incorporated in Dublin and based in Minneapolis, said that it is working on software updates to better secure the defibrillators’ wireless communications. The updates are expected to be ready later this year and will be subject to regulatory approval.