Feature | Cybersecurity | October 17, 2018

FDA Says Medtronic is Updating Cybersecurity Vulnerabilities of its Implantable Cardiac Device Programmers

Medtronic is issuing a software update to address a safety risk caused by cybersecurity vulnerabilities associated with the internet connection between the Carelink 2090 and Carelink Encore 29901 programmers used to download software from the Medtronic software distribution network (SDN) . This update is a voluntary recall correction by the manufacturer to address the safety risk caused by the cybersecurity vulnerability.

Medtronic is issuing a software update to address a safety risk caused by cybersecurity vulnerabilities associated with the internet connection between the Carelink 2090 and Carelink Encore 29901 implantable EP device programmers.

October 17, 2018 — The U.S. Food and Drug Administration (FDA) has reviewed information about potential cybersecurity vulnerabilities associated with the internet connection of Medtronic's cardiac implantable electrophysiology device (CIED) programmers. The FDA said it has confirmed that these vulnerabilities could allow an unauthorized user to change the programmer's functionality or the implanted EP device during the device implantation procedure or during follow-up visits.

The FDA reported Oct. 11 that Medtronic is issuing a software update to address a safety risk caused by cybersecurity vulnerabilities associated with the internet connection between the Carelink 2090 and Carelink Encore 29901 programmers used to download software from the Medtronic software distribution network (SDN) . This update is a voluntary recall correction by the manufacturer to address the safety risk caused by the cybersecurity vulnerability.

The cybersecurity vulnerability is associated with using an internet connection to update software between the CareLink and CareLink Encore programmers and the SDN. Software updates normally include new software for the programmer's functionality as well as updates to implanted device firmware. Although the programmer uses a virtual private network (VPN) to establish an internet connection with the Medtronic SDN, the FDA said the vulnerability identified with this connection is that the programmers do not verify that they are still connected to the VPN prior to downloading updates.

To address this cybersecurity vulnerability and improve patient safety, on Oct. 5, 2018, the FDA approved Medtronic's update to the Medtronic network that will intentionally block the currently existing programmer from accessing the Medtronic SDN.

As such, attempting to update the programmer through the internet by selecting the "Install from Medtronic" button on the programmer will result in error messages such as "Unable to connect to local network" or "Unable to connect to Medtronic." These errors are due to disabling the SDN and are not a result of a programmer or local information technology (IT) issue.

To date, there are no known reports of patient harm related to these cybersecurity vulnerabilities.

There are no updates to the CareLink 2090 or CareLink Encore 29901 programmers at this time. However, the FDA said Medtronic is working to create and implement additional security updates to further address these vulnerabilities.

Medtronic CareLink and CareLink Encore programmers are used during implantation and regular follow-up visits for CIEDs. These devices include include pacemakers to provide pacing for slow heart rhythms, implantable defibrillators to provide an electrical shock or pacing to stop dangerously fast heart rhythms, cardiac resynchronization devices to pace the heart to improve contraction to treat heart failure, and insertable cardiac monitors for long-term cardiac monitoring for irregular or abnormal heart rhythms.

Medtronic programmers allow physicians to obtain device performance data, check battery status, and adjust or reprogram device settings from a CIED. When necessary, the programmers are also used by Medtronic staff to update software in the implanted device. The programmer software can be downloaded and updated either through internet connection to the Medtronic SDN or by a Medtronic representative plugging a universal serial bus device (USB) into the programmer.

Read the completed FDA safety alert.

Recommendations for Healthcare Providers

The FDA said providers should continue to use the programmers for programming, testing and evaluation of CIED patients. Network connectivity is not required for normal CIED programming and similar operation. Other Medtronic-provided features that require network connections are not impacted by these vulnerabilities (e.g.,SessionSync). 

The FDA warned not to attempt to update the programmer through the SDN. If you select the "Install from Medtronic" button, it will not result in software installation, because access to the external SDN is no longer available. Future programmer software updates must be received directly from a Medtronic representative with a USB update.

The FDA recommends maintain control of programmers within the provider's facility at all times according to your hospital's IT policies, and to operate the programmers within well-managed IT networks. 

For recommended actions to better secure your computer network environment, refer to www.nist.gov/cyberframework or other applicable cybersecurity guidance.

Reprogramming or updating of CIEDs is not required as a result of this correction and prophylactic CIED replacement is not recommended, the FDA stated.

 

Recommendations for Patients and Caregivers

The FDA said there are no actions recommended for patients or caregivers related to this software update or cybersecurity vulnerability.
Consult with your physician for routine care and follow-up.

The FDA reminds patients, patient caregivers, and healthcare providers that any medical device connected to a communications network (for example: wi-fi, public, or home internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users. However, the increased use of wireless technology and software in medical devices can also offer safer, timely and more convenient healthcare delivery.

For more information — www.medtronic.com/content/dam/medtronic-com/us-en/corporate/documents/REV-Medtronic-2090-Security-Bulletin_FNL.pdf, or contact Medtronic Technical Services at 1-800-638-1991.

 

 

FDA Takes Cybersecurity Seriously

Medtronic is the second EP device maker to have an EP recall due to cybersecurity vulnerabilities of its technologies. The first major public discussion of the potential hacking of pacemakers and implantable defibrillator (ICDs) was in 2016 when a business market intelligence firm reported St. Jude Medical's EP technologies could be hacked. The FDA then raised serious concerns over these vulnerabilities. St. Jude Medical was purchased by Abbott during that time. The FDA cleared fixes for Abbott's cybersecurity vulnerabilities in August 2017. 
 

 

Related Cardiac EP Device Cybersecurity Content:

Heart Rhythm Society Recommends How to Prepare for Cybersecurity Threats to Cardiac Implantable Devices

Raising the Bar for Medical Device Cyber Security

The State of Healthcare Cyber Security

Can Your Cardiac Device Be Hacked?

FDA Announces New Medical Device Safety Action Plan

 

 

Related Content

FDA and DHS Expand Partnership on Medical Device Cybersecurity
News | Cybersecurity | October 30, 2018
The U.S. Food and Drug Administration (FDA) and the U.S. Department of Homeland Security (DHS) will be implementing a...
Philips Warns of Cybersecurity Vulnerabilities in IntelliSpace and iSite PACS Products
News | Cybersecurity | April 16, 2018 | Jeff Zagoudis, Associate Editor
Philips Healthcare last week issued a proactive advisory warning to its iSite and IntelliSpace picture archiving and...
Can Your Cardiac Device Be Hacked?
News | Cybersecurity | February 27, 2018
Medical devices, including cardiovascular implantable electronic devices, could be at risk for hacking. In a paper...
MDISS Launches 'WHISTL' Network of Medical Device Security Testing Labs
News | Cybersecurity | August 23, 2017
The Medical Device Innovation, Safety and Security Consortium (MDISS) recently launched the first of more than a dozen...
HHS Unveils Improved Web Tool to Highlight Recent Health Information Breaches
News | Cybersecurity | August 21, 2017
The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) recently launched a revised web...
Healthcare cybersecurity concerns have increased dramatically as EMRs and medical devices become more digitally connected.

Healthcare cybersecurity concerns have increased dramatically as EMRs and medical devices become more digitally connected.

Feature | Cybersecurity | August 18, 2017 | Dave Fornell
August 17, 2017 — Cybersecurity has become a growing concern in healthcare as patient data, medical systems and impla
The FDA is concerned about cybersecurity of ICDs and cyber security of other medical devices.
Feature | Cybersecurity | August 16, 2017 | Dave Fornell
There is growing concern among patients and regulators that medical devices, especially implantable electrophysiology
Logicalis Healthcare Solutions lists the top cybersecurity issues for CIOs at HIMSS17.
News | Cybersecurity | February 10, 2017
February 10, 2017 — With the Healthcare Information and Management Systems Society’s annual meeting (HIMSS17) schedul
The FDA wants to regulate cybersecurity of ICDs and other medical devices.

The FDA has concerns about the cybersecurity of implantable medical devices with wireless connections for patient monitoring or adjustments to how the device functions. Changing the function of an implantable cardioverter defibrillator (ICD) using wireless access to the device could present a major patient safety issue.

News | Cybersecurity | December 29, 2016 | Dave Fornell
As wearable and implantable patient monitoring or therapy devices become more sophisticated with advanced wireless co
Overlay Init