Medtronic Disables Pacemaker Software Updates Over Security Concerns

Following an independent investigation by security experts, and an FDA review, Medtronic disabled software updates for the Medtronic CareLink and CareLink Encore Programmer models 2090 and 29901, which are used in pacemakers, implantable defibrillators, cardiac resynchronization devices, and insertable cardiac monitors. The vulnerability would theoretically allow an attacker to update a medical device with non-Medtronic code, which is obviously a serious concern in a pacemaker. Fortunately, the company claims it hasn’t received any reports of attacks or compromised patients. Users will have to manually update their medical devices via USB, and the company claims that its working on getting the online update system back up and running.



The FDA has reviewed information about potential cybersecurity vulnerabilities associated with the internet connection of Medtronic’s programmers, and has confirmed that these vulnerabilities could allow an unauthorized user (that is,someone other than the patient’s physician) to change the programmer’s functionality or the implanted device during the device implantation procedure or during follow-up visits. Specifically, this cybersecurity vulnerability is associated with using an internet connection to update software between the CareLink and CareLink Encore programmers and the SDN. Software updates normally include new software for the programmer’s functionality as well as updates to implanted device firmware. Although the programmer uses a virtual private network (VPN) to establish an internet connection with the Medtronic SDN, the vulnerability identified with this connection is that the programmers do not verify that they are still connected to the VPN prior to downloading updates. To address this cybersecurity vulnerability and improve patient safety, on October 5, 2018, the FDA approved Medtronic’s update to the Medtronic network that will intentionally block the currently existing programmer from accessing the Medtronic SDN.

Discussion

Source: [H]ardOCP – Medtronic Disables Pacemaker Software Updates Over Security Concerns

Leave a Reply