Medtronic has issued a software update to address a safety risk caused by cybersecurity vulnerabilities associated with the Internet connection between two models of CareLink programmers used to download software from the company's software distribution network (SDN). The situation prompted FDA to issue a safety communication to alert patients, caregivers, and physicians.
FDA said the cybersecurity vulnerabilities could allow an unauthorized user to change the programmer's functionality or the implanted device during the device implantation procedure or during follow-up visits. The vulnerability impacts the CareLink and CareLink Encore programmers. Software updates normally include new software for the programmer's functionality as well as updates to implanted device firmware. Although the programmer uses a virtual private network (VPN) to establish an Internet connection with the Medtronic SDN, the vulnerability identified with this connection is that the programmers do not verify that they are still connected to the VPN prior to downloading updates, the agency explained.
FDA said that on Oct. 5, 2018, it approved Medtronic's software update to the Medtronic network that will intentionally block the currently existing programmer for accessing the Medtronic SDN. The agency said there are no known reports of patient harm related to this issue. The company is working to create and implement additional security updates to further address these vulnerabilities, the agency noted.
In the meantime, physicians are advised to continue to use the programmers for programming, testing, and evaluation of patients with a cardiovascular implantable electronic device (CIED) because network connectivity is not required for normal CIED programming and similar operation. Other Medtronic-provided features that require network connections, such as the SessionSync feature, are not impacted by these vulnerabilities, FDA said.
Future programmer software updates must be received directly from a Medtronic representative with a USB update, the agency said. There are no recommended actions for patients or caregivers related to this software update or cybersecurity vulnerability.
Any medical device connected to a communications network such as a public WiFi or a home Internet may have cybersecurity vulnerabilities that could be exploited by unauthorized users, FDA said. However, the agency said the increased use of wireless technology and software in medical devices can also offer safer, timely, and more convenient healthcare delivery.