The US Food and Drug Administration (FDA) on Thursday issued a safety communication to alert of cybersecurity vulnerabilities for Medtronic cardiac implantable electrophysiology devices (CIED).
Although to date there are no known reports of patient harm related to these cybersecurity vulnerabilities, Medtronic is issuing a software update to address a safety risk associated with the internet connection between the Carelink 2090 and Carelink Encore 29901 Programmers used to download software from the Medtronic Software Distribution Network (SDN).
The programmer software can be downloaded and updated either through an internet connection to the Medtronic Software Distribution Network (SDN) or by a Medtronic representative plugging a universal serial bus device (USB) into the programmer.
FDA said it “has confirmed that these vulnerabilities could allow an unauthorized user (that is, someone other than the patient's physician) to change the programmer's functionality or the implanted device during the device implantation procedure or during follow-up visits.”
And although the programmer uses a virtual private network (VPN) for connecting with the Medtronic SDN, FDA said the “vulnerability identified with this connection is that the programmers do not verify that they are still connected to the VPN prior to downloading updates.”
To address this vulnerability, FDA earlier this month approved Medtronic's update to its network, and it will now “intentionally block the currently existing programmer from accessing the Medtronic SDN.”
FDA has warned of and dealt with other cyber vulnerabilities in the past.
FDA and the Department of Homeland Security (DHS) in January 2017 issued an advisory warning
of cybersecurity vulnerabilities found in St. Jude Medical's Merlin@home wireless transmitter that could affect the company's line of implantable cardiac devices. Abbott in August 2017 also voluntarily recalled
about 465,000 pacemakers to install a firmware update to patch cybersecurity vulnerabilities in the devices.
The warnings come as the Department of Health and Human Services’ Office of the Inspector General is calling on FDA to further integrate cybersecurity into its review processes
for medical devices, which the agency agreed with. For its part, FDA has said recently it would update
2014 guidance on cybersecurity.