The Department of Homeland Security and medical device maker Medtronic have issued alerts about the lack of encryption on certain cardiac programming devices that could potentially allow inappropriate access to patient information contained on the programmer.
Hospitals and clinics use the affected programmers to program and manage Medtronic cardiac implantable electronic devices, such as pacemakers.
Advisories issued on Dec. 13 by DHS’ Industrial Control System Cyber Emergency Response Team, and Medtronic note that if exploited, the missing encryption vulnerability may allow an attacker with physical access to the affected programmer to access information stored on the device.
Medtronic notes that patient information is intended to be stored on the programmers for short periods of time before being transferred to other medical systems or printed to paper reports.
“If the PHI/PII settings are not properly managed or the programmer is not properly retired, patient PHI/PII may remain on a programmer longer than necessary,” Medtronic notes. “The specific types of PHI/PII stored by a programmer includes device serial number and device configuration settings. Other types of PHI/PII potentially stored on a programmer is determined by the personnel using the system.”
Layer 7 will follow and update this report as the story continues to unfold.