Medtronic has issued a software update “to address a safety risk caused by cybersecurity vulnerabilities” in 34,000 of their cardiac implantable electronic devices (CIEDs), the US FDA write in a safety communication to healthcare professionals.
Following a review of information regarding potential security risks associated with the internet connection of Medtronic’s pacing programmers, the FDA has confirmed such vulnerabilities include the risk of allowing an “unauthorised user”, other than the patient’s physician, to change the programmer’s functionality or the implanted device during implantation procedure or follow-up visits, the safety communication states.
The vulnerabilities are associated with the internet connection between the Carelink 2090 and Carelink Encore 29901 Programmers used to download software from the Medtronic Software Distribution Network (SDN).
“Specifically,” the FDA clarifies, “this cybersecurity vulnerability is associated with using an internet connection to update software between the CareLink and CareLink Encore programmers and the SDN. Software updates normally include new software for the programmer’s functionality as well as updates to implanted device firmware. Although the programmer uses a virtual private network (VPN) to establish an internet connection with the Medtronic SDN, the vulnerability identified with this connection is that the programmers do not verify that they are still connected to the VPN prior to downloading updates.
To address this cybersecurity vulnerability and improve patient safety, on 5 October, 2018, the FDA approved Medtronic’s update to the Medtronic network that will intentionally block the currently existing programmer from accessing the Medtronic SDN.
As such, attempting to update the programmer through the internet by selecting the “Install from Medtronic” button on the programmer will result in error messages such as “Unable to connect to local network” or “Unable to connect to Medtronic.” These errors are due to disabling the SDN and are not a result of a programmer or local information technology (IT) issue.”
The FDA give the following recommendations for healthcare professionals with patients using the affected devices:
- Continue to use the Programmers for programming, testing and evaluation of CIED patients. Network connectivity is not required for normal CIED programming and similar operation.
- Other Medtronic-provided features that require network connections are not impacted by these vulnerabilities (e.g.,SessionSync). You may continue to use such features.
- Do not attempt to update the Programmer through the SDN. If you select the “Install from Medtronic” button, it will not result in software installation because access to the external SDN is no longer available.
- Future programmer software updates must be received directly from a Medtronic representative with a USB update.
- Maintain control of Programmers within your facility at all times according to your hospital’s IT policies.
- Operate the Programmers within well-managed IT networks. Consult with your IT department regarding the security of your network. For recommended actions to better secure your computer network environment, refer to https://www.nist.gov/cyberframework or other applicable cybersecurity guidance.
- Reprogramming or updating of CIEDs is not required as a result of this correction and prophylactic CIED replacement is not recommended.