(This is one of the affected Medtronic programmers, which allow doctors to tweak the implant's settings.)
Implantable defibrillators are placed under the skin to monitor the patient's heart. If they detect a wildly irregular rhythm, they shoot out electric shocks to restore the person's normal heartbeat. The vulnerabilities allow bad actors to change or inject data sent between a defib and its programming device. Medtronic's affected products don't use use formal authentication or authorization protections, which means attackers can alter the implant's settings and potentially harm the patient.
Since the hacker has to be in close proximity to the affected devices, though, the company told Star Tribune that the risk of physical harm to patients with implants appears to be low. It also said that it's now monitoring its network for signs of exploit attempts, and it ensured patients that its defibrillators will automatically shut down wireless communications if they receive unusual commands.
Even so, the company is reminding patients to only use devices obtained directly from healthcare providers and to keep wireless communications open so they'd receive the security patch when it rolls out. Also, in addition to physically keeping monitors and programmers safe, Medtronic is discouraging patients from plugging USB sticks and other unapproved accessories into the devices.