The US Department of Homeland Security (DHS) has flagged a weakness in the security of a device for programming Medtronic’s neurostimulator implants. Exploiting the vulnerability would give a hacker access to personal health information.
After being alerted to the vulnerability by security company WhiteScope, the DHS put out a notice alerting users to the risk the N’Vision clinician programmer could leak personal information.
Physical access to an N’Vision flash card is needed to access the information. Once that barrier is overcome, an attacker would need little skill to access the information, which isn’t encrypted by the device at rest. The issue was given a score of 4.6, classing it as a medium-severity vulnerability.
Medtronic is yet to develop a product update to address the vulnerability but has highlighted steps users can take to minimise the risk. These centre on ensuring the flash cards do not fall into the wrong hands.
The risks posed by the vulnerabilities varies from product to product, both because of differences in the ease of exploiting them and the likely fallout from doing so. But the National Cybersecurity and Communications Integration Centre is advising users to take mitigating steps even when the chances of a breach are slim.
Medtronic issued a statement about the DHS notification: “Medtronic was notified by an external security researcher of a potential vulnerability related to the Medtronic N’Vision 8840 Physician Programmer, a small, handheld device used solely by healthcare professionals to program certain Medtronic neuromodulation devices. The researcher’s report details that the compact flash application card used in the physician programmer may contain unencrypted patient personal health information if that information is not deleted following individual patient device programming,” the company said.
