FDA Safety Communication - Cybersecurity Updates Affecting Medtronic Implantable Cardiac Device Programmers

PUBLISHED: Oct 12, 2018
Relevant to: All Healthcare Organizations

The U.S. Food and Drug Administration (FDA) has issued a safety communication with cybersecurity updates affecting medtronic implantable cardiac device programmers. The safety communication is alerting health care providers that Medtronic is issuing a software update to address a safety risk caused by cybersecurity vulnerabilities associated with the internet connection between the Carelink 2090 and Carelink Encore 29901 Programmers used to download software from the Medtronic SDN. This update is a correction (voluntary recall) by the manufacturer to address the safety risk caused by the cybersecurity vulnerability.

For the purposes of this safety communication, cybersecurity focuses on protecting patients' medical devices and their associated computers, networks, programs, and data from unintended or unauthorized threats.

The FDA has reviewed information about potential cybersecurity vulnerabilities associated with the internet connection of Medtronic's programmers, and has confirmed that these vulnerabilities could allow an unauthorized user (that is, someone other than the patient's physician) to change the programmer's functionality or the implanted device during the device implantation procedure or during follow-up visits.

Specifically, this cybersecurity vulnerability is associated with using an internet connection to update software between the CareLink and CareLink Encore programmers and the SDN. Software updates normally include new software for the programmer's functionality as well as updates to implanted device firmware. Although the programmer uses a virtual private network (VPN) to establish an internet connection with the Medtronic SDN, the vulnerability identified with this connection is that the programmers do not verify that they are still connected to the VPN prior to downloading updates.

To address this cybersecurity vulnerability and improve patient safety, on October 5, 2018, the FDA approved Medtronic's update to the Medtronic network that will intentionally block the currently existing programmer from accessing the Medtronic SDN.

As such, attempting to update the programmer through the internet by selecting the "Install from Medtronic" button on the programmer will result in error messages such as "Unable to connect to local network" or "Unable to connect to Medtronic." These errors are due to disabling the SDN and are not a result of a programmer or local information technology (IT) issue.

To date, there are no known reports of patient harm related to these cybersecurity vulnerabilities.

There are no updates to the CareLink 2090 or CareLink Encore 29901 Programmers at this time. However, Medtronic is working to create and implement additional security updates to further address these vulnerabilities.

Recommendations for Health Care Providers:

  • Continue to use the Programmers for programming, testing and evaluation of CIED patients. Network connectivity is not required for normal CIED programming and similar operation.
  • Other Medtronic-provided features that require network connections are not impacted by these vulnerabilities (e.g.,SessionSync™). You may continue to use such features.
  • Do not attempt to update the Programmer through the SDN. If you select the "Install from Medtronic" button, it will not result in software installation because access to the external SDN is no longer available.
  • Future programmer software updates must be received directly from a Medtronic representative with a USB update.
  • Maintain control of Programmers within your facility at all times according to your hospital's IT policies.
  • Operate the Programmers within well-managed IT networks. Consult with your IT department regarding the security of your network. For recommended actions to better secure your computer network environment, refer to https://www.nist.gov/cyberframework or other applicable cybersecurity guidance.
  • Reprogramming or updating of CIEDs is not required as a result of this correction and prophylactic CIED replacement is not recommended.

The FDA reminds patients, patient caregivers, and health care providers that any medical device connected to a communications network (for example: wi-fi, public, or home Internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users. However, the increased use of wireless technology and software in medical devices can also offer safer, timely, and more convenient health care delivery.

See the Safety Communication, link below for additional recommendations for patients, as well as for a listing of additional resources.

Want to read the full alert and receive alert emails?

Browse Additional Alerts