Skip to main content
close search
site logo
Dive Brief

FDA warns of Medtronic device cybersecurity risk

Published Oct. 12, 2018
By
Contributor
The FDA logo on a glass pane at the agency's campus in Silver Spring, Maryland.
Jacob Bell / BioPharma Dive

Dive Brief:

  • The FDA has issued a cybersecurity safety communication about two Medtronic devices used to program pacemakers and other cardiac implants.

  • The safety alert follows the discovery that hackers could hijack the software update process to change the functionality of the programmers and the implants they control.

  • While the FDA has not received any reports of patients being harmed by the vulnerability, Medtronic has disabled the online software update to eliminate the security weakness.

Dive Insight:

Device programmers are important tools in the care of patients with cardiac implants. Providers use the programmers to adjust the settings of cardiac implants and collect locally-stored information such as performance data and battery levels. However, the programmers also serve as a possible entry point for hackers who want to steal information or maliciously adjust device performance.

Medtronic’s 2090 CareLink Programmer and 29901 Encore Programmer suffered from such security weaknesses. The vulnerability relates to the process used to update the programmers' software. The programmers are supposed to use a secure, private network to download updates. However, they do not confirm they are connected to this network before commencing the download. As such, a hacker could hijack the process and send malicious software updates to the programmers.

In response to discovery of the vulnerability, the FDA has issued a safety communication aimed at healthcare providers and patients. The notice outlines the vulnerability, the actions Medtronic has taken to address it and the implications for healthcare providers and patients.

Medtronic has disabled the network-based update mechanism. The action means providers will need to use USB dongles to update programmers but it should ensure hackers cannot hijack devices.

The safety communication is the latest in a series of cybersecurity notices related to the devices. The Department of Homeland Security’s (DHS) cyber emergency team issued a notice about the Carelink programmer in February. That DHS alert focused on security vulnerabilities unrelated to the software update flaw.

By June, the DHS had learned of the software update vulnerability. In updating the security alert, the DHS categorized the new concern as a high-severity problem. The earlier vulnerabilities, like most medical device issues identified by the DHS, were classed as medium-severity concerns.

Medtronic has been the subject of multiple medium-severity notices. This year, the DHS has issued five alerts about Medtronic devices. Some of the devices, including the programmers covered by the FDA notice, suffer from multiple vulnerabilities. Many of Medtronic's peers have been the subjects of DHS' alerts as well.

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release
New Published Study Shows MedLite ID as Faster and Simpler Solution to Primary Medication Infu…
From Orion Innovations
November 20, 2024
SYNDEO Medical Announces European MDR Approval for Two Product Brands
From SYNDEO Medical
November 06, 2024
Viz.ai Wins Prestigious Prix Galien USA Award for Best Digital Health Solution
From Viz.ai
November 12, 2024
Arsenal Medical Launches EMBO-02 Study for NeoCast™ to Assess Treatment of Chronic Subdural He…
From Arsenal Medical
November 14, 2024
Editors' picks
Latest in Medical Devices
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell