Cybersecurity Updates Affecting Medtronic Implantable Cardiac Device Programmers: FDA Safety Communication
October 11, 2018
- Patients with a Medtronic cardiac implantable electrophysiology device (CIED)
- Caregivers of patients with a Medtronic CIED
- Cardiologists, electrophysiologists, cardiac surgeons, and primary care physicians treating patients with heart failure or heart rhythm problems using a Medtronic CIED
Cardiac Electrophysiology, Cardiology, Cardiothoracic Surgery, Heart Failure
Medtronic CareLink and CareLink Encore Programmers, models 2090 and 29901, are used during implantation and regular follow-up visits for Medtronic cardiac implantable electrophysiology devices (CIEDs). CIEDs include pacemakers to provide pacing for slow heart rhythms, implantable defibrillators to provide an electrical shock or pacing to stop dangerously fast heart rhythms, cardiac resynchronization devices to pace the heart to improve contraction to treat heart failure, and insertable cardiac monitors for long-term cardiac monitoring for irregular or abnormal heart rhythms.
Medtronic Programmers allow physicians to obtain device performance data, check battery status, and adjust or reprogram device settings from a CIED. When necessary, the Programmers are also used by Medtronic staff to update software in the implanted device. The programmer software can be downloaded and updated either through internet connection to the Medtronic Software Distribution Network (SDN) or by a Medtronic representative plugging a universal serial bus device (USB) into the programmer.
The U.S. Food and Drug Administration (FDA) is issuing this safety communication to alert you that Medtronic is issuing a software update to address a safety risk caused by cybersecurity vulnerabilities associated with the internet connection between the Carelink 2090 and Carelink Encore 29901 Programmers used to download software from the Medtronic SDN. This update is a correction (voluntary recall) by the manufacturer to address the safety risk caused by the cybersecurity vulnerability.
For the purposes of this safety communication, cybersecurity focuses on protecting patients' medical devices and their associated computers, networks, programs, and data from unintended or unauthorized threats.
Summary of Problem and Scope
The FDA has reviewed information about potential cybersecurity vulnerabilities associated with the internet connection of Medtronic's programmers, and has confirmed that these vulnerabilities could allow an unauthorized user (that is,someone other than the patient's physician) to change the programmer's functionality or the implanted device during the device implantation procedure or during follow-up visits.
Specifically, this cybersecurity vulnerability is associated with using an internet connection to update software between the CareLink and CareLink Encore programmers and the SDN. Software updates normally include new software for the programmer's functionality as well as updates to implanted device firmware. Although the programmer uses a virtual private network (VPN) to establish an internet connection with the Medtronic SDN, the vulnerability identified with this connection is that the programmers do not verify that they are still connected to the VPN prior to downloading updates.
To address this cybersecurity vulnerability and improve patient safety, on October 5, 2018, the FDA approved Medtronic's update to the Medtronic network that will intentionally block the currently existing programmer from accessing the Medtronic SDN.
As such, attempting to update the programmer through the internet by selecting the "Install from Medtronic" button on the programmer will result in error messages such as "Unable to connect to local network" or "Unable to connect to Medtronic." These errors are due to disabling the SDN and are not a result of a programmer or local information technology (IT) issue.
To date, there are no known reports of patient harm related to these cybersecurity vulnerabilities.
There are no updates to the CareLink 2090 or CareLink Encore 29901 Programmers at this time. However, Medtronic is working to create and implement additional security updates to further address these vulnerabilities.
Recommendations for Health Care Providers
- Continue to use the Programmers for programming, testing and evaluation of CIED patients. Network connectivity is not required for normal CIED programming and similar operation.
- Other Medtronic-provided features that require network connections are not impacted by these vulnerabilities (e.g.,SessionSync™). You may continue to use such features.
- Do not attempt to update the Programmer through the SDN. If you select the "Install from Medtronic" button, it will not result in software installation because access to the external SDN is no longer available.
- Future programmer software updates must be received directly from a Medtronic representative with a USB update.
- Maintain control of Programmers within your facility at all times according to your hospital's IT policies.
- Operate the Programmers within well-managed IT networks. Consult with your IT department regarding the security of your network. For recommended actions to better secure your computer network environment, refer to https://www.nist.gov/cyberframework or other applicable cybersecurity guidance.
- Reprogramming or updating of CIEDs is not required as a result of this correction and prophylactic CIED replacement is not recommended.
Recommendations for Patients and Caregivers
- There are no actions recommended for patients or caregivers related to this software update or cybersecurity vulnerability.
- Consult with your physician for routine care and follow-up.
- Visit https://www.medtronic.com/content/dam/medtronic-com/us-en/corporate/documents/REV-Medtronic-2090-Security-Bulletin_FNL.pdf, or contact Medtronic Technical Services at 1-800-638-1991 for more information, or if you have any questions about this update.
- Get medical help right away if you feel lightheaded, dizzy, lose consciousness, or have chest pain or severe shortness of breath.
The FDA reminds patients, patient caregivers, and health care providers that any medical device connected to a communications network (for example: wi-fi, public, or home Internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users. However, the increased use of wireless technology and software in medical devices can also offer safer, timely, and more convenient health care delivery.
Reporting Problems to the FDA
Prompt reporting of adverse events can help the FDA identify and better understand the risks related to the use of medical devices. If you suspect or experience a problem with these devices, we encourage you to file a voluntary report through MedWatch, the FDA Safety Information and Adverse Event Reporting program. Health care personnel employed by facilities that are subject to the FDA's user facility reporting requirements should follow the reporting procedures established by their facilities.
- Medtronic Security Bulletin (October 11, 2018)
- ICS-CERT Advisory: Medtronic 2090 Carelink Programmer Vulnerabilities
The FDA will continue to work with manufacturers and health care delivery organizations—as well as security researchers and other government agencies—to develop and implement solutions to address cybersecurity issues for medical devices. The FDA takes reports of vulnerabilities in medical devices very seriously and has issued recommendations to manufacturers for continued monitoring, reporting, and remediation of medical device cybersecurity vulnerabilities.
If you have questions about this communication, please contact the Division of Industry and Consumer Education (DICE) at DICE@FDA.HHS.GOV, 800-638-2041 or 301-796-7100.