The FDA has issued a cybersecurity safety communication about two Medtronic devices used to program pacemakers and other cardiac implants.
The safety alert follows the discovery that hackers could hijack the software update process to change the functionality of the programmers and the implants they control.
While the FDA has not received any reports of patients being harmed by the vulnerability, Medtronic has disabled the online software update to eliminate the security weakness.
Device programmers are important tools in the care of patients with cardiac implants. Providers use the programmers to adjust the settings of cardiac implants and collect locally-stored information such as performance data and battery levels. However, the programmers also serve as a possible entry point for hackers who want to steal information or maliciously adjust device performance.
Medtronic’s 2090 CareLink Programmer and 29901 Encore Programmer suffered from such security weaknesses. The vulnerability relates to the process used to update the programmers' software. The programmers are supposed to use a secure, private network to download updates. However, they do not confirm they are connected to this network before commencing the download. As such, a hacker could hijack the process and send malicious software updates to the programmers.
In response to discovery of the vulnerability, the FDA has issued a safety communication aimed at healthcare providers and patients. The notice outlines the vulnerability, the actions Medtronic has taken to address it and the implications for healthcare providers and patients.
Medtronic has disabled the network-based update mechanism. The action means providers will need to use USB dongles to update programmers but it should ensure hackers cannot hijack devices.
The safety communication is the latest in a series of cybersecurity notices related to the devices. The Department of Homeland Security’s (DHS) cyber emergency team issued a notice about the Carelink programmer in February. That DHS alert focused on security vulnerabilities unrelated to the software update flaw.
By June, the DHS had learned of the software update vulnerability. In updating the security alert, the DHS categorized the new concern as a high-severity problem. The earlier vulnerabilities, like most medical device issues identified by the DHS, were classed as medium-severity concerns.
Medtronic has been the subject of multiple medium-severity notices. This year, the DHS has issued five alerts about Medtronic devices. Some of the devices, including the programmers covered by the FDA notice, suffer from multiple vulnerabilities. Many of Medtronic's peers have been the subjects of DHS' alerts as well.