Medtronic disables cardiac programmer updates over security risk

12 October 2018 (Last Updated October 12th, 2018 12:27)

Medtronic has disabled online updates for its CareLink and CareLink Encore programmers, models 2090 and 29901, because they were found to be vulnerable to cybersecurity attacks.

Medtronic disables cardiac programmer updates over security risk
Medtronic CareLink Network. Credit: Medtronic.

Medtronic has disabled online updates for its CareLink and CareLink Encore programmers, models 2090 and 29901, because they were found to be vulnerable to cybersecurity attacks.

The programmers allow healthcare providers to access the Medtronic cardiac implantable electrophysiology devices (CIEDs), which include pacemakers and defibrillators, among others.

Physicians can use the programmers to get device performance data, check battery status and adjust or reprogram device settings from a CIED.

“In a safety notice, the US Food and Drug Administration (FDA) said that it reviewed the vulnerabilities and found opportunities for unauthorised users to access the programmer or the implanted device.”

Software for these programmers can be downloaded and updated via an internet connection to the Medtronic Software Distribution Network (SDN) or by a Medtronic representative who uses a universal serial bus device (USB).

Medtronic revealed in a security bulletin that researchers from WhiteScope detected vulnerabilities in the CareLink 2090 and CareLink Encore 29901 programmers, and associated SDN.

The company said: “If not mitigated, these vulnerabilities could result in potential harm to a patient.” However, Medtronic noted that it did not receive any report of such an attack or patient harm, so far.

In a safety notice issued by the US Food and Drug Administration (FDA), the agency said that it reviewed the vulnerabilities and found opportunities for an unauthorised user to access the programmer or the implanted device.

To address these concerns and improve cybersecurity, Medtronic has disabled access to the SDN. The medical device firm plans to send its representative to carry out manual updates, when required.

Medtronic added: “Medtronic is working on additional security updates for the impacted programmers and the SDN update process. We will implement these updates following regulatory agency approvals.”

Both the FDA and the company recommended healthcare providers to continue using the CareLink programmes but advised against updating the software over the internet.

The agency further added that patients or caregivers need not take any actions in association with this software update or cybersecurity vulnerability.