The U.S. Food and Drug Administration released the safety communication in order to inform users about the vulnerability detected in the software update process in two of the Medtronic Programmer models. Detected flaws could allow hackers to tamper the programmers of implanted devices.
The vendor blocked the functionality on the vulnerable devices
The vulnerability was found in Medtronic CareLink and CareLink Encore Programmers models 2090 and 29901. The programmers are applied during implantation and follow-up visit for Medtronic Cardiac Implantable Electrophysiology Devices or CIEDs, including pacemakers, implantable defibrillators, cardiac resynchronization devices, and insertable cardiac monitors. Medtronic programmers are available on the Internet and they enable physicians to gather data from the devices, obtain performance data, check battery status, adjust settings or reprogram the devices. In addition, they are used for software updates.
Once the vulnerabilities were discovered, the company has disabled access to the SDN through a software update.
To remediate these vulnerabilities and enhance cybersecurity of device programmers, Medtronic has disabled access to the SDN. When software updates are needed, a Medtronic representative will manually update, via a secured USB, all CareLink 2090 and CareLink Encore 29901 programmers.
Even though the connection to the Medtronic SDN is encrypted via a VPN service, CIED cannot confirm whether the VPN connection is still on before receiving software updates.
FDA notes that in order to ensure patient safety, the FDA has blocked any attempts to update the programmer over the Internet
To address this cybersecurity vulnerability and improve patient safety, on October 5, 2018, the FDA approved Medtronic's update to the Medtronic network that will intentionally block the currently existing programmer from accessing the Medtronic SDN.
The FDA also notes that there are no known reports or information about any affected patients or harm related to these security flaws. In addition, there are no actions recommended for patients, caregivers, and healthcare providers.
The FDA says that they will remain cooperating with manufacturers, healthcare delivery organizations, security researchers and government institutions in order to develop and implement solutions for medical devices. All the security issues and vulnerabilities are taken very seriously by the organization.
It is worth to mention that earlier this year, the United States Department of Homeland Security revealed the security flaws in 2090 Programmers that potentially could allow hackers with physical access to obtain credentials to the software deployment network.