The U.S. Food and Drug Administration (FDA) has issued a warning about faults in certain Medtronic implantable cardiac appliance programmers which might possibly be targeted by hackers to change the functionality of the programmer during inserting or follow up visits. About 34,000 susceptible programmers are presently active.
The programmers are used by doctors to collect performance data, to check the status of the battery, and to reset Medtronic cardiac implantable electrophysiology devices (CIEDs) including pacemakers, cardiac resynchronization devices, implantable defibrillators, and insertable cardiac monitors.
The faults are present in Medtronic CareLink 2090 and CareLink Encore 29901 programmers, especially how the appliances transmit to the Medtronic Software Distribution Network (SDN) online. The link is essential to download software updates for the programmer and firmware updates for Medtronic CIEDs.
Although a virtual private network (VPN) is used to start a link between the programmers and the Medtronic SDN, there is no check performed to ascertain whether the programmer is still connected to the VPN before software updates are downloaded. This would give cyber attackers the opportunity to install their own updates and change the functionality of the appliances.
The faults in the programmers were found by safety scientists Billy Rios and Jonathan Butts in 2017. Medtronic was made conscious of the faults but has been sluggish to take action. An advisory was ultimately issued in February 2018, however, it has taken until now for action to be taken to rectify the mistake.
Medtronic is now stopping the programmers from linking to the SDN to get software updates. In its place, future updates should be finished by Medtronic through a USB link. Any efforts to update the appliance through the SDN will now result in an “Unable to link to local network” or “Unable to link to Medtronic” error message.
The FDA checked the cybersecurity weaknesses and has verified that the vulnerabilities might be abused to cause patients to come under threat. On October 5, 2018, the FDA accepted the Medtronic network update that hinders the programmer from logging onto the Medtronic SDN.
The FDA suggests that the programmers continue in using it for programming, checking and assessment of CIED patients. The internet link is not required for usual operation.
Both the FDA and Medtronic have said that no reports have been offered to indicate that the faults have been abused.