FDA issues warning about cybersecurity vulnerabilities in Medtronic Programmers

Medtronic has recently disabled the internet update functionality of two of its CareLink devices, which are used to program pacemaker implants. The move came after the company along with the U.S Food and Drug Administration (FDA) reviewed the vulnerabilities in the software update process which in turn could be affected by cyber attacks.

The vulnerabilities identified in the update process allow an individual to update the devices with non-Medtronic software. The company also said that the vulnerabilities could result in patient harm depending on the intent of the attacker and the patient’s condition.

The U.S Food and Drug Administration (FDA) also released a statement about the vulnerabilities' details affecting Medtronic’s Carelink 2090 and Carelink Encore 29901 programmer devices.

About the vulnerable programmers

These programmers are used during implantation and regular follow-up visits for Medtronic cardiac implantable electrophysiology devices (CIED’s) such as pacemakers, implantable defibrillators, cardiac resynchronization devices, and insertable cardiac monitors.

Also, these programmers allow physicians to collect data such as performance information and battery status etc., from CIED’s. They can also adjust or reprogram the device based on the patient’s health improvement. Medtronic can also use these programmers to deliver software updates to the implanted devices.

Moreover, the programmer software can be downloaded from the internet and updated over the internet, by connecting to the Medtronic Software Distribution Network (SDN), or by using a USB cable with the programmer.

Feature disabled due to security concerns

When the programmer connects to the Medtronic SDN over the internet for an update, it uses a virtual private network. The programmer should also verify the status of the VPN connection before starting to download the software updates. However, the affected devices do not seem to verify the status of the VPN connection before starting the download process.

“To address this vulnerability and improve patient safety, on October 5, 2018, the FDA approved Medtronic's update to the Medtronic network that will intentionally block the currently existing programmer from accessing the Medtronic SDN,” the FDA said in its statement.

Also, Medtronic said in its security bulletin, “To remediate these vulnerabilities and enhance the security of device programmers, Medtronic has disabled access to the SDN. When software updates are needed, a Medtronic representative will manually update, via a secured USB, all CareLink 2090 and CareLink Encore 29901 programmers.”

Now, when users try to update the programmer over the internet by choosing the “Install from Medtronic” option, error messages such as “Unable to connect to a local network ” are displayed.

Medtronic did not notice any malicious incidents till date owing to the exploitation of the vulnerability. However, adverse reactions or quality problems can be reported to the FDA’s MedWatch Adverse Event Reporting program either online, by email or by fax, said the Medtronic statement.