- The FDA has issued a medical device safety alert about cybersecurity vulnerabilities in Medtronic’s CareLink programmers that could enable an attacker to change the functionality of the programmer or the implanted pacemaker it controls.
The vulnerabilities reside in the internet connection that the programmer uses to update software between the CareLink and CareLink Encore programmers (models 2090 and 29902) and the Medtronic software distribution network (SDN).
“Although the programmer uses a virtual private network (VPN) to establish an internet connection with the Medtronic SDN, the vulnerability identified with this connection is that the programmers do not verify that they are still connected to the VPN prior to downloading updates,” the FDA explained.
To prevent a successful cyberattack, Medtronic is blocking the programmers from accessing the SDN. A user attempting to update the programmer through the internet will receive an error message. Medtronic is not providing an update to correct the problem at this time, but the company is working on additional security updates to address the vulnerabilities later, the FDA noted.
The FDA explained that healthcare providers can continue to use the programmers for programming, testing, and evaluating cardiac patients because network connectivity is not required for normal operation.
In addition, providers can continue to use other features that require network connections, such as Medtronic’s SessionSync, because they are not impacted by the vulnerabilities.
The agency explained that future programmer software updates must be received directly from a Medtronic representative with a USB.
FDA advised healthcare providers to operate the programmers within well-managed IT networks and to consult with the IT department regarding the security of the network.
It said that reprogramming or updating of the pacemaker is not required, and pacemaker replacement is not recommended.
In a letter to physicians, Medtronic warned that the cybersecurity vulnerabilities “could result in harm to a patient depending on the extent and intent of a malicious cyberattack and the patient’s underlying condition,” reported Reuters. The newswire estimated that 34,000 programmers were affected by the vulnerabilities.
In a presentation at the BlackHat security conference held in August, security researchers Bill Rios and Jonathan Butts criticized Medtronic for dragging its feet regarding the vulnerabilities in the CareLink programmers.
The researchers said that they informed Medtronic last year about the vulnerabilities they had discovered, but that the vendor was uncooperative and unresponsive. Medtronic “spent more time trying to twist the story than fixing it — and we told them how to fix it,” Butts was quoted as saying.
When the researchers first contacted the vendor and provided research documentation, Medtronic representatives said they were “setting up a testing environment” to reproduce the results, according to their presentation.
But eight months later, the company admitted that it had not set up a testing environment to reproduce the results. Ten months later, the vendor said that there were no patient safety implications to the findings, according to the researchers.
Medtronic first issued an advisory about the CareLink vulnerabilities in February of this year. The company followed this with an update in June.
“Further review of these vulnerabilities with the FDA, Billy Rios and Jonathan Butts revealed the potential for an attacker to remotely exploit some of these vulnerabilities. If not mitigated, these vulnerabilities could result in potential harm to a patient. To date, we have not received a report of such an attack or patient harm,” Medtronic said in its Oct. 11 update to the advisory.
“Medtronic recommends that customers continue to follow the security guidance detailed in the CareLink 2090 programmer and CareLink Encore 29901 programmer reference manuals. This guidance includes maintaining good physical controls over the programmer and having a secure physical environment that prevents access to the CareLink 2090 or CareLink Encore 29901 programmer,” the advisory concluded.