Skip to main content
close search
site logo
Dive Brief

Medtronic reveals high-risk cyber vulnerability in electrosurgical generators

Published Nov. 8, 2019
By
Contributor
flickr user DonkeyHotey

Dive Brief:

  • Medtronic found a cybersecurity vulnerability that could enable hackers to take control of certain electrosurgical generators, the company said Thursday.

  • The Department of Homeland Security issued an advisory on the vulnerability, rating it a 9.8 on a 10-point risk scale, reflecting the potential for a low-skilled hacker to remotely exploit the weakness.

  • Medtronic created a software patch for some of the affected devices but it is still working to provide a fix for all the generators.

Dive Insight:

The vulnerability affects Valleylab FT10 and Valleylab FX8, electrosurgical generators Medtronic acquired in its $42.9 billion takeover of Covidien which closed in early 2015. Healthcare professionals use the devices in surgical procedures, such as vessel sealing.

Medtronic said it's found several cybersecurity vulnerabilities that affect the generators. DHS identified a weakness in the system used to upload files as the biggest problem, awarding it a 9.8 score on the cybersecurity risk scale.

The company explained the potential harm that could stem from the weakness in a security bulletin to disclose the problem. "These vulnerabilities could allow an unauthorized individual to take control of an electrosurgical generator, either through the network or through physical access to the device and change various settings," Medtronic wrote.

DHS grouped the file upload vulnerability with two other weaknesses, which scored 5.8 and 7.0 on the risk scale. The other two vulnerabilities relate to the encryption of passwords and access to files kept on the devices.

Medtronic and DHS also disclosed a second set of vulnerabilities that affect the RFID security mechanism Valleylab FT10 and Valleylab LS10 used to check if surgical instruments are authentic. A hacker could use one of the RFID vulnerabilities to bypass the security mechanism, thereby enabling the use of instruments other than authentic Medtronic products. DHS rated the issue as 4.8 on the risk scale.

Work is underway to fix both sets of vulnerabilities. Medtronic has developed a patch for some versions of its FT10 devices that is designed to address all of the weaknesses. The company will notify users of FX8 and LS10 generators when a patch for their devices is available. In the meantime, Medtronic is encouraging users to take precautions such as only connecting the generators to the hospital network when necessary.

The DHS cybersecurity alerts for the two sets of vulnerabilities are the ninth and tenth covering Medtronic devices, as listed by the Cybersecurity and Infrastructure Security Agency​. None of the previous vulnerabilities received a risk rating as high as the 9.8 awarded to the file upload weakness.

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release
Osteal Therapeutics Announces Positive 12-Month Results from the APEX Clinical Trial Program a…
From Osteal Therapeutics
November 14, 2024
Arsenal Medical Launches EMBO-02 Study for NeoCast™ to Assess Treatment of Chronic Subdural He…
From Arsenal Medical
November 14, 2024
Lunit Shows Promise of AI in Predicting Immunotherapy Response for Rare Cancer Patients at SIT…
From Lunit
November 10, 2024
Echosens Launches its Liver Health Management (LHM) Platform Globally, Streamlining Liver Care
From Echosens
November 04, 2024
Editors' picks
Latest in Medical Devices
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell