Medtronic Disables CareLink Pacemaker Software Updates Due To Risk Of Cyber Attack

The manufacturer of more than 34,000 implantable pacemakers has disabled internet access for updating and programming the devices, after discovering that they may be vulnerable to hacking or cyber attacks. 

Medtronic issued an Urgent Medical Device Correction to physicians this week, indicating that new cyber-security vulnerabilities have led the manufacturer to disable internet access for the devices.

To date, no reports of successful hacks or disturbances to an implantable pacemaker have been reported, but remote control for the implantable pacemakers may pose serious and life-threatening health risks for patients.

The action comes after Medtronic discovered the CareLink devices could be susceptible to hacking, which could potentially allow someone to gain control over the device and change electronic pulse functions or give false readings.

The correction notice affects all serial numbers of the CareLink 2090 Programmer and the CareLink Encore 29901 Programmer, impacting approximately 34,000 devices.

The U.S. Food and Drug Administration (FDA) was notified of Medtronic’s action and states the agency reviewed the safety notice describing the vulnerabilities and approved of the decision to disable internet updates.

Physicians with patients using the implanted devices are being told to continue using the CareLink programs, but are being advised not attempt to update the software over the internet. According to Medtronic, no action is necessary on the part of the patients, and the company is working on mitigating the vulnerabilities.

Cybersecurity threats in the medical field have been a growing concern over the last few years, as vulnerabilities to healthcare organizations’ record systems and medical devices have surfaced.

Since 2014, the U.S. Department of Homeland Security (DHS) has been actively investigating at least two dozen cases of suspected cybersecurity flaws in medical devices and hospital equipment. According to DHS, if preventative actions to strengthen the medical field’s cybersecurity issues are not taken, hackers could exploit these vulnerabilities and put patients in serious risk.

According to an announcement by FDA Commissioner Scott Gottlieb earlier this month, the agency has collaborated efforts with MITRE Corporation to develop a medical device cybersecurity playbook designed to prepare healthcare delivery organizations for malicious attacks that could allow control over medical devices used to treat patients.

Previous medical device hacking demonstrations have dated back to 2012, when researchers at a RSA security conference in San Francisco in 2012, were able to hack medical devices such as insulin pumps from up to 300 feet away. The demonstration further showed how hackers could remotely take control of the insulin devices, allowing them to deliver lethal doses of insulin to patients without any notification.