FDA Approves Medtronic Fix for Device Cybersecurity Vulnerabilities

The medical device manufacturer has updated the software as part of a voluntary recall to address safety risk.

Medtronic is working on additional ways to mend the cybersecurity vulnerabilities.

In a voluntary recall, Medtronic has issued a software update to plug cybersecurity holes in programmers — which are kinds of software that physicians use to measure a connected device’s performance, battery status and settings — for the company’s implantable cardiac devices, according to an announcement from the U.S. Food and Drug Administration.

The software update is meant to “address a safety risk caused by cybersecurity vulnerabilities associated with the internet connection” between the programmers, the FDA said in its safety communication. Regulators approved the update on Oct. 5 and said there are “no known reports of patient harm” stemming from the issue.

>> READ: Pacemaker Incident Provides Important Lessons for Future Device Security Updates

The cybersecurity vulnerabilities affected the Carelink 2090 and Carelink Encore 29901 programmers. Medtronic staffers use the technologies to update software in implanted cardiac devices.

FDA officials said the programmers use a secure virtual private network but don’t verify that connection before downloading software updates.

“To address this cybersecurity vulnerability and improve patient safety,” the agency wrote, “the FDA approved Medtronic’s update to the Medtronic network that will intentionally block the currently existing programmer from accessing the Medtronic SDN (Software Distribution Network).”

What does that mean? When someone attempts to use the programmer through the internet by clicking “Install from Medtronic,” they will receive an error message.

Medtronic is developing additional security features to further fix the vulnerabilities, according to the FDA.

Regulators noted that physicians can still use the programmers to test the cardiac implants, as these features do not require network activity. Other connected features that aren’t affected by the cybersecurity vulnerabilities will continue to function.

The FDA directed the safety communication to patients with a Medtronic cardiac implantable electrophysiology device, caregivers, cardiologists, electrophysiologists, cardiac surgeons and primary care physicians.

For more information, click here.

Get the best insights in healthcare analytics directly to your inbox.

Related

OIG Recommends FDA Place Greater Focus on Med-Tech Cybersecurity

Medtronic Devices Latest to Receive Vulnerability Warning from DHS

Kicking Off Cybersecurity Month, FDA Launches New Medical Device Security Playbook