Medtronic has shut off the ability to remotely update the software on two machines that are used in doctor’s offices to program the settings on implanted pacemakers and defibrillators, expanding cybersecurity precautions that were announced earlier this year.
The Irish medical device company, operated from offices in Fridley, announced that it was shutting down the ability of its CareLink 2090 and CareLink Encore 29901 device programmers to download new software updates remotely. The news follows a demonstration at the Black Hat USA cybersecurity conference in Las Vegas in August by independent researchers who showed that the vulnerabilities in Medtronic device programmers could negatively impact patient care.
The same researchers – Billy Rios of WhiteScope and Jonathan Butts of QED Secure Solutions -- forced Medtronic to announce vulnerabilities in the same CareLink 2090 device earlier this year, and to acknowledge that the company’s initial responses to the “white hat” hackers’ discoveries about vulnerabilities in the 2090 programmer were too slow.
The CareLink machines are not implantable devices themselves, but rather are tools that a doctor can use in the office to adjust the settings or update the software on implanted heart devices. The programmers, which run on a version of Windows no longer supported by Microsoft, are vulnerable to attacks because they don’t confirm the authenticity of software being downloaded.
Rios has said that hacked software could be downloaded onto the CareLink devices, and compromised devices could then be used to push code onto an implanted pacemaker or defibrillator that would allow an attacker to make changes on those devices that could harm a patient.
Such an attack has never been documented in the real world. Indeed, there has never been a documented cyberattack against any medical device that was intended to harm a patient and successfully did so; though security researchers say it would be difficult to verify such an attack if it happened clandestinely. The documented cyberattacks that have affected healthcare have typically involved “ransomware” attacks against hospitals by criminals seeking money, not patient harm.
On Oct. 5, the Food and Drug Administration approved Medtronic’s request to do network updates that intentionally block CareLink 2090 and CareLink Encore 29901 programmers from accessing Medtronic’s software deployment network to receive software updates. Although there was no security update to the CareLink machines themselves, Medtronic is still working on additional security changes, an FDA alert about the changes says. Future updates to the devices will be done in person by Medtronic personnel.
“Customers should continue to use the programmers for programming, testing, and evaluating implanted devices. Network connectivity is not required for cardiovascular implantable electronic devices programming and similar operation. Other Medtronic-provided features that require network connections are not impacted by these vulnerabilities (e.g. SessionSync™ and RemoteView™), and customers may continue to use such features,” Medtronic said in is updated security bulletin.
The FDA says that any medical device that connects to wifi, public or home internet networks may contain security vulnerabilities. Medtronic has plenty of company in dealing with cybersecurity challenges in medical devices, as shown by the number of health care products included in the list of cybersecurity advisories maintained by the Homeland Security Department’s Industrial Control Systems Cyber Emergency Response Team.
Device programmers like the CareLink system have been a particular area of focus. Since 2016, all three major U.S. pacemaker companies have published cybersecurity alerts about their heart-device programmers.