Medtronic is issuing a software update to address a safety risk caused by cybersecurity vulnerabilities associated with the internet connection between the Carelink 2090 and Carelink Encore 29901 implantable EP device programmers.
October 17, 2018 — The U.S. Food and Drug Administration (FDA) has reviewed information about potential cybersecurity vulnerabilities associated with the internet connection of Medtronic's cardiac implantable electrophysiology device (CIED) programmers. The FDA said it has confirmed that these vulnerabilities could allow an unauthorized user to change the programmer's functionality or the implanted EP device during the device implantation procedure or during follow-up visits.
The FDA reported Oct. 11 that Medtronic is issuing a software update to address a safety risk caused by cybersecurity vulnerabilities associated with the internet connection between the Carelink 2090 and Carelink Encore 29901 programmers used to download software from the Medtronic software distribution network (SDN) . This update is a voluntary recall correction by the manufacturer to address the safety risk caused by the cybersecurity vulnerability.
The cybersecurity vulnerability is associated with using an internet connection to update software between the CareLink and CareLink Encore programmers and the SDN. Software updates normally include new software for the programmer's functionality as well as updates to implanted device firmware. Although the programmer uses a virtual private network (VPN) to establish an internet connection with the Medtronic SDN, the FDA said the vulnerability identified with this connection is that the programmers do not verify that they are still connected to the VPN prior to downloading updates.
To address this cybersecurity vulnerability and improve patient safety, on Oct. 5, 2018, the FDA approved Medtronic's update to the Medtronic network that will intentionally block the currently existing programmer from accessing the Medtronic SDN.
As such, attempting to update the programmer through the internet by selecting the "Install from Medtronic" button on the programmer will result in error messages such as "Unable to connect to local network" or "Unable to connect to Medtronic." These errors are due to disabling the SDN and are not a result of a programmer or local information technology (IT) issue.
To date, there are no known reports of patient harm related to these cybersecurity vulnerabilities.
There are no updates to the CareLink 2090 or CareLink Encore 29901 programmers at this time. However, the FDA said Medtronic is working to create and implement additional security updates to further address these vulnerabilities.
Medtronic CareLink and CareLink Encore programmers are used during implantation and regular follow-up visits for CIEDs. These devices include include pacemakers to provide pacing for slow heart rhythms, implantable defibrillators to provide an electrical shock or pacing to stop dangerously fast heart rhythms, cardiac resynchronization devices to pace the heart to improve contraction to treat heart failure, and insertable cardiac monitors for long-term cardiac monitoring for irregular or abnormal heart rhythms.
Medtronic programmers allow physicians to obtain device performance data, check battery status, and adjust or reprogram device settings from a CIED. When necessary, the programmers are also used by Medtronic staff to update software in the implanted device. The programmer software can be downloaded and updated either through internet connection to the Medtronic SDN or by a Medtronic representative plugging a universal serial bus device (USB) into the programmer.
Recommendations for Healthcare Providers
The FDA said providers should continue to use the programmers for programming, testing and evaluation of CIED patients. Network connectivity is not required for normal CIED programming and similar operation. Other Medtronic-provided features that require network connections are not impacted by these vulnerabilities (e.g.,SessionSync).
The FDA warned not to attempt to update the programmer through the SDN. If you select the "Install from Medtronic" button, it will not result in software installation, because access to the external SDN is no longer available. Future programmer software updates must be received directly from a Medtronic representative with a USB update.
The FDA recommends maintain control of programmers within the provider's facility at all times according to your hospital's IT policies, and to operate the programmers within well-managed IT networks.
For recommended actions to better secure your computer network environment, refer to www.nist.gov/cyberframework or other applicable cybersecurity guidance.
Reprogramming or updating of CIEDs is not required as a result of this correction and prophylactic CIED replacement is not recommended, the FDA stated.
Recommendations for Patients and Caregivers
The FDA said there are no actions recommended for patients or caregivers related to this software update or cybersecurity vulnerability.
Consult with your physician for routine care and follow-up.
The FDA reminds patients, patient caregivers, and healthcare providers that any medical device connected to a communications network (for example: wi-fi, public, or home internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users. However, the increased use of wireless technology and software in medical devices can also offer safer, timely and more convenient healthcare delivery.
For more information — www.medtronic.com/content/dam/medtronic-com/us-en/corporate/documents/REV-Medtronic-2090-Security-Bulletin_FNL.pdf, or contact Medtronic Technical Services at 1-800-638-1991.
FDA Takes Cybersecurity Seriously
Medtronic is the second EP device maker to have an EP recall due to cybersecurity vulnerabilities of its technologies. The first major public discussion of the potential hacking of pacemakers and implantable defibrillator (ICDs) was in 2016 when a business market intelligence firm reported St. Jude Medical's EP technologies could be hacked. The FDA then raised serious concerns over these vulnerabilities. St. Jude Medical was purchased by Abbott during that time. The FDA cleared fixes for Abbott's cybersecurity vulnerabilities in August 2017.
Related Cardiac EP Device Cybersecurity Content: