The U.S. Food and Drug Administration (FDA) issued a cybersecurity vulnerability warning for users of Medtronic's CareLink 2090 Programmer and CareLink Encore 29901 Programmer devices.
As detailed in FDA's warning, software updates released by Medtronic for their pacemakers can be installed either via the USB port or by downloading with the help of the Software Distribution Network (SDN).
The security issue resides in the SDN update download process which allows potential attackers to update the CareLink programmers with non-Medtronic (malicious) software during the update's download process.
According to Medtronic, "[..] the process for updating software through the SDN may introduce risks that, if not fully mitigated, could result in harm to a patient depending on the extent and intent of a malicious cyberattack and the patient’s underlying condition."
Starting with October 11, Medtronic has chosen to disable the SDN feature for all pacemaker programmer updates, allowing only software updates via the USB port.
The Software Distribution Network will be disabled for all CareLink pacemaker programmers beginning October 11
The FDA and the CareLink pacemaker programmers' manufacturer recommend using the devices programming, testing, and evaluation of cardiac implantable electrophysiology devices (CIED) patients.
Health care providers are advised to avoid updating the programmers via the SDN since updates can only be installed via USB, as well as to follow the hospital's IT policies and to make sure they're using the devices on a secure network.
It's important to mention that both the FDA and Medtronic pointed out in their security advisories that no attacks or patients being harmed because of this vulnerabilities have been observed.
"The FDA reminds patients, patient caregivers, and health care providers that any medical device connected to a communications network (for example: wi-fi, public, or home Internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users," says FDA's alert.