FDA Issues Alert Concerning Vulnerabilities in Medtronic Implantable Cardiac Device Programmers

The U.S. Food and Drug Administration (FDA) has issued an alert after it confirmed that certain Medtronic implantable cardiac device programmers have vulnerabilities that hackers could exploit to change the programmer’s functionality. The vulnerabilities are in Medtronic CareLink 2090 and CareLink Encore 29901 programmers and there are approximately 34,000 vulnerable programmers currently in use.

Doctors use the programmers to obtain performance data of implantable cardiac devices, to determine battery status, and for reprogramming the configuration settings of Medtronic cardiac implantable electrophysiology devices (CIEDs) such as implantable defibrillators, pacemakers, insertable cardiac monitors and cardiac resynchronization devices.

The vulnerabilities were detected by security researchers Billy Rios and Jonathan Butts in 2017. Medtronic confirmed the vulnerabilities in February 2018 and issued an advisory, but has only just issued fixes for the flaws.

The vulnerabilities are concerned with the processes involved when the programmers connect to the Medtronic Software Distribution Network (SDN) via the internet. The SDN connection is used to download software updates of the programmer and firmware updates for Medtronic CIEDs. While a virtual private network (VPN) is used to connect the programmers to the Medtronic SDN, no test is performed to confirm that the programmer is still connected to the VPN prior to the downloading of software updates.

Medtronic is now blocking the programmers from connecting to the SDN to get updates of the software. Attempting to connect to the SDN to update the programmers will result in an error message being displayed such as “Unable to connect” or “Unable to connect to local network.” Medtronic will now update software and firmware via a USB connection.

The FDA analyzed the cybersecurity vulnerabilities and confirmed that hackers could exploit the flaws to cause harm to patients. The FDA has assessed Medtronics remediation plan and has confirmed that the flaws have been corrected. The FDA has said that the programmers can still be used for CIED programming, testing and evaluation as connection to the SDN is not necessary for standard uses of the programmers.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

The FDA and Medtronic have not received any reports to suggest the vulnerabilities have been exploited and no patients are believed to have come to harm as a result of these flaws.

 

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/