The U.S. Food and Drug Administration (FDA) has issued an alert after it confirmed that certain Medtronic implantable cardiac device programmers have vulnerabilities that hackers could exploit to change the programmer’s functionality. The vulnerabilities are in Medtronic CareLink 2090 and CareLink Encore 29901 programmers and there are approximately 34,000 vulnerable programmers currently in use.
Doctors use the programmers to obtain performance data of implantable cardiac devices, to determine battery status, and for reprogramming the configuration settings of Medtronic cardiac implantable electrophysiology devices (CIEDs) such as implantable defibrillators, pacemakers, insertable cardiac monitors and cardiac resynchronization devices.
The vulnerabilities were detected by security researchers Billy Rios and Jonathan Butts in 2017. Medtronic confirmed the vulnerabilities in February 2018 and issued an advisory, but has only just issued fixes for the flaws.
The vulnerabilities are concerned with the processes involved when the programmers connect to the Medtronic Software Distribution Network (SDN) via the internet. The SDN connection is used to download software updates of the programmer and firmware updates for Medtronic CIEDs. While a virtual private network (VPN) is used to connect the programmers to the Medtronic SDN, no test is performed to confirm that the programmer is still connected to the VPN prior to the downloading of software updates.
Medtronic is now blocking the programmers from connecting to the SDN to get updates of the software. Attempting to connect to the SDN to update the programmers will result in an error message being displayed such as “Unable to connect” or “Unable to connect to local network.” Medtronic will now update software and firmware via a USB connection.
The FDA analyzed the cybersecurity vulnerabilities and confirmed that hackers could exploit the flaws to cause harm to patients. The FDA has assessed Medtronics remediation plan and has confirmed that the flaws have been corrected. The FDA has said that the programmers can still be used for CIED programming, testing and evaluation as connection to the SDN is not necessary for standard uses of the programmers.
The FDA and Medtronic have not received any reports to suggest the vulnerabilities have been exploited and no patients are believed to have come to harm as a result of these flaws.