The Food and Drug Administration issued a cybersecurity alert on two Medtronic devices that could allow a hacker to hijack the software update process to change the device’s function. Medtronic disabled the online software update to eliminate the flaw.
Following a review of potential security vulnerabilities around the internet connection, the FDA found 34,000 CareLink cardiac implantable electronic devices are at risk. If exploited, a hacker could change the programmer’s functionality or the device itself during the implantation or follow-up visits.
The flaw is found in the internet connection between the CareLink 2090 and Encore 29901 Programmers, used for downloading software from Medtronic’s Software Distribution Network. The programmers are used by providers to adjust the cardiac device settings and collect locally stored data.
While software updates typically include new software for the programmer functionality and updates to the implanted device firmware through a virtual private network, the programmers don’t verify they’re still connect to the VPN before downloading the updates.
As a result, attempting to update the program through the internet connection will result in an error message.
Medtronic updated its network, which was approved by the FDA on Oct. 5. The fix will intentionally block the currently existing programmer from accessing the Medtronic SDN. The vendor is continuing to implement security updates to further address the flaw.
The FDA recommends providers continue to use the programmers, as network connectivity isn’t required for normal CIEF programming. Further, providers should not attempt to update the programmer through the SDN, which is no longer available. Future updates are currently only available through Medtronic with a USB update.
Medical device vulnerabilities are well-known, and vulnerability reporting by vendors have increased 400 percent per quarter since the FDA released its cybersecurity guidance in 2016. However, the increase in FDA alerts is meant to further improve cybersecurity, rather than to shame the vendor.