Advertisement

FDA warns users of cyber vulnerability in pacemaker programmers

The FDA has issued a cybersecurity advisory for two models of programmers used on cardiac devices like pacemakers and defibrillators.
(Getty Images)

The Food and Drug Administration has issued a cybersecurity advisory for two models of programming equipment that doctors use to check cardiac devices like pacemakers, citing a vulnerability that could allow unauthorized access to the programmers.

The FDA said it confirmed that when the two models of programmers, which are made by Minneapolis-based Medtronic, have an internet connection, unauthorized users could exploit the vendor’s software-updating network to change the programmers’ functionality. Doctors use the programmers to do things like adjust the settings of a pacemaker and check its batteries, according to the FDA.

“While we are not aware of patients who may have been harmed by this particular cyber vulnerability, the risk to patient harm of leaving such a vulnerability unaddressed is too great,” Suzanne Schwartz, a top cybersecurity official at the FDA, said Thursday in a statement.

In a letter to health care professionals, Medtronic said that the vulnerability “may introduce risks that, if not fully mitigated, could result in harm to a patient depending on the extent and intent of a malicious cyberattack and the patient’s underlying condition. To date, neither such an attack nor resultant patient harm has been observed.”

Advertisement

In response to the security and safety concerns, Medtronic said it disabled the internet-connected software updates for the programmers and that, as of Thursday, a company representative would manually and securely update all of the affected programmers. The FDA approved that Medtronic software update so that medical providers can keep using the programmers without connecting to the internet. The agency said it considers the corrective action a “voluntary recall” undertaken by the manufacturer, as opposed to any mandatory enforcement from the regulator.

Patients’ implanted devices — such as pacemakers and defibrillators — that interact with the programmers do not require an update, Medtronic said in a statement to CyberScoop. “Physicians should continue to use the programmers for programming, testing and evaluating implanted cardiac devices.”

In August at the Black Hat conference, security researchers demonstrated how a hacker could run malicious firmware on one of the programmers, the CareLink 2090, to make life-threatening changes in care. The security researchers, Billy Rios and Jonathan Butts, said they disclosed the vulnerabilities to Medtronic in January 2017 and criticized the vendor for taking months to address the issue.

Medtronic issued security notices and updates for the programmers in February and June of this year. The February notice, however, claimed that the researchers’ findings “revealed no new potential safety risks based on the existing product security risk assessment.”

In its statement Thursday, Medtronic said that patient safety is its top priority. “Medtronic takes the security of our products seriously, and we continue to proactively minimize and mitigate cybersecurity vulnerabilities during premarket-development and post-market use,” the company added.

Advertisement

Schwartz, who attended the Black Hat presentation, has shown a strong interest in improving vulnerability disclosure in the medical device industry.

“The FDA is committed to protecting patient safety by working with all stakeholders to develop and implement solutions to address cybersecurity issues throughout a product’s total lifecycle,” she said Thursday.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts