Medtronic Cardiac Devices Recalled Due to Cyber ConcernsFDA Announces 'Voluntary Recall' Related to Vulnerabilities
(This story has been updated with an FDA statement.)
The Food and Drug Administration has announced a "voluntary recall" by Medtronic of certain internet-connected programmers for implantable cardiac devices due to cybersecurity vulnerabilities.
The recall involves Medtronic blocking the affected programmers from accessing the company's network via the internet until the company issues security fixes so that the programmers cannot be exploited by unauthorized users.
Some security experts are hopeful that the recall serves as another important wake-up call for more manufacturers to take action on addressing cybersecurity issues.
"Unfortunately, I'm sure there will be some medical device manufacturers that believe they can talk their way out of fixing security issues through their public relations departments. I hope this example serves as an awakening for those organizations."
—Billy Rios, Whitescope
"If we can be proactive about addressing cybersecurity issues in our medical devices and manufacturers are willing to acknowledge/fix issues, we can avoid/mitigate most of the problems we encounter in a way that avoids recalls," says ethical hacker Billy Rios of the security research firm Whitescope, who helped identify the vulnerabilities at the center of the recall.
"Unfortunately, I'm sure there will be some medical device manufacturers that believe they can talk their way out of fixing security issues through their public relations departments. I hope this example serves as an awakening for those organizations," Rios says.
In an Oct. 12 alert, FDA says the recall involves Medtronic CareLink and CareLink Encore programmers, models 2090 and 29901, which are used during implantation and regular follow-up visits for Medtronic cardiac implantable electrophysiology devices, or CIEDs.
CIEDs include pacemakers to provide pacing for slow heart rhythms, implantable defibrillators to provide an electrical shock or pacing to stop dangerously fast heart rhythms, cardiac resynchronization devices to pace the heart to improve contraction to treat heart failure, and insertable cardiac monitors for long-term cardiac monitoring for irregular or abnormal heart rhythms, FDA notes.
When the programmers are connected to the internet, the connection could be exploited to allow an unauthorized user "to alter the programmer to change the programmer's functionality or the implanted device during the device implantation procedure or during follow-up visits," according to FDA.
The agency says it's not aware of any reports of patient harm related to these cybersecurity vulnerabilities.
Approximately 30,000 CareLink 2090 programmers and 4,000 CareLink Encore programmers are impacted by the recall, Medtronic tells Information Security Media Group. "These programmers are not implanted, but rather are used for programming during implantation and regular follow-up visits on Medtronic cardiac implantable electrophysiology devices," Medtronic explains.
The Medtronic programmers enable physicians to obtain device performance data, check battery status and adjust or reprogram device settings, FDA notes in its alert. "When necessary, the programmers are also used by Medtronic staff to update software in the implanted device. The programmer software can be downloaded and updated either through internet connection to the Medtronic Software Distribution Network (SDN) or by a Medtronic representative plugging a universal serial bus device (USB) into the programmer."
FDA says in its alert that it reviewed information about potential cybersecurity vulnerabilities associated with the internet connection of Medtronic's programmers, and has confirmed that these vulnerabilities could allow an unauthorized user - someone other than the patient's physician - to change the programmer's functionality or the implanted device during the device implantation procedure or during follow-up visits.
"Specifically, this cybersecurity vulnerability is associated with using an internet connection to update software between the CareLink and CareLink Encore programmers and the SDN. Software updates normally include new software for the programmer's functionality as well as updates to implanted device firmware. Although the programmer uses a virtual private network (VPN) to establish an internet connection with the Medtronic SDN, the vulnerability identified with this connection is that the programmers do not verify that they are still connected to the VPN prior to downloading updates."
Rios tells ISMG the vulnerabilities at the center of the Medtronic recall are the same issues that he and a fellow researcher previously identified, which were the subject of earlier alerts issued this year - that were updated again on Oct. 11 - by the Department of Homeland Security's Industrial Control System Computer Emergency Response Team.
Medtronic tells ISMG: "Some of the information leading to this change is new and some was previously presented by WhiteScope. These vulnerabilities were included in the demonstration by [Whitescope's] Billy Rios and Jonathan Butts at the BlackHat Conference.
"We reviewed these vulnerabilities with the FDA and external researchers and concluded that the process for updating software through the SDN may introduce risks that, if not mitigated, could result in harm to patients. To date, we have not observed or received a report of an attack or patient harm."
Since the BlackHat demonstration earlier this year, "the FDA has conducted its own investigation into the issues we presented, established the 'ground-truth' for potential patient safety implications and worked with clinicians, the manufacturer and researchers to reach an appropriate resolution," Rios notes.
"I believe we've witnessed the forward-learning posture of the FDA when it comes to cybersecurity," he says. "Recalls are serious business. I don't think it's the place of the cybersecurity researcher to demand recalls. We can certainly provide input to help the affected parties understand the potential impact of medical device vulnerabilities, but true patient safety risk calculations should always have input from the physicians and healthcare delivery organizations."
Fixing the Problems
FDA on Oct. 5 approved an update to the Medtronic network "that will intentionally block the currently existing programmer from accessing the Medtronic SDN."
As a result, attempting to update the programmer through the internet by selecting the "Install from Medtronic" button on the programmer will result in error messages such as "Unable to connect to local network" or "Unable to connect to Medtronic," FDA says. "These errors are due to disabling the SDN and are not a result of a programmer or local information technology issue."
There are no updates to the CareLink 2090 or CareLink Encore 29901 Programmers available at this time, FDA notes. But Medtronic is working to create and implement additional security updates to further address these vulnerabilities.
Medtronic tells ISMG that patients' cardiac devices are not affected by any changes in the programmers, and these updates do not require any action by patients.
The manufacturer is providing the following recommendations and notifications to healthcare providers related to CareLink 2090 and CareLink Encore 29901 programmers:
- Continue to use the programmers for programming, testing and evaluation of CIED patients. Network connectivity is not required for normal CIED programming and similar operation.
- Other Medtronic-provided features that require network connections are not impacted by these vulnerabilities.
- Do not attempt to update the programmer via the SDN. If the "Install from Medtronic" button is selected, it will not result in software installation because access to the external SDN is no longer available.
- Future programmer software updates must be received directly from a Medtronic representative.
- Maintain control of programmers within your facility at all times according to your facility's IT policies.
- Operate the programmers within well-managed IT networks.
Why Recall Necessary
Because this is a voluntary recall initiated by Medtronic, it "implies that the vulnerability doesn't pose acute danger to patients, says Ben Ransford, president of healthcare security firm Virta Labs. "To my knowledge, the vulnerability is due to a design flaw rather than a software issue. The recall is necessary because Medtronic chose to take drastic action by shutting down the software update network," he says.
"The issues with VPNs aren't unique to Medtronic devices. Most VPN systems, including VPN clients for phones and laptops, have similar issues, in which there's a window of vulnerability before and after the VPN link is protecting traffic," he says.
To exploit the CareLink vulnerability, an attacker would have to put themselves in between the Medtronic programmer and the internet link, Ransford notes. "Most healthcare delivery organizations have enough physical controls in place to make such an attack difficult."
The first voluntary recall of medical devices due to cybersecurity issues was by Abbott Laboratories in August 2017. It also involved certain implantable cardiac pacemakers' firmware.
But Ransford predicts there will be other cybersecurity-related recalls.
"The Abbott and Medtronic recalls were just the tip of the iceberg, he says. "The good news is that big manufacturers like Medtronic and Philips are normalizing voluntary disclosure. So it's not that medical device security is getting worse or the danger to patients is increasing; what we're seeing is deeper understanding of risk and a willingness to acknowledge problems."
In the meantime, healthcare organizations must make sure they're equipped to deal with problems that affect a specific subpopulation of their devices, Ransford adds. "That means understanding what devices are present, tracking ePHI carefully, and having an ability to quickly perform risk assessment," he says. "The status quo involves too much paperwork and not enough actual preparedness. Practice, practice, practice."
FDA has been taking action to bolster the cybersecurity of medical device, including the recent release of a "playbook" on dealing with cybersecurity vulnerabilities.
But Rios says manufacturers need to greatly improve their ability to address cyber issues in their products.
"I hope medical devices manufacturer establish an 'incident response plan' for their products," he says. "Dealing with security researchers is one thing, but there will come a day when a hacked medical device tries to hurt a patient. Instead of waiting for this to happen, we should be proactive and thoughtful in how we will respond to such events."
Besides the recalls involving the Abbott Labs devices last year, and the most recent Medtronic announcement, there have been a few other voluntary recalls by manufacturers for medical device cybersecurity concerns, the FDA tells ISMG.
"What the others share in common is that they pre-date the December 2016 release and implementation of FDA's final postmarket cybersecurity guidance document," the agency says. "The guidance lays out a policy framework for manufacturers who, upon assessment of vulnerabilities of uncontrolled risk, can leverage their active participation in an FDA-recognized medical device information sharing and analysis organization to report the vulnerability and communicate the mitigation and/or remediation that will reduce risk of patient harm to an acceptable level within an accelerated timeframe of 30 and 60 days."
As per our guidance, the FDA notes, "if manufacturers address these higher - i.e., uncontrolled - risk vulnerabilities in an expedient manner through ISAO participation - and there have been no reports of serious injuries or deaths associated with the vulnerability (thus, the vulnerability has not been exploited) - then the agency would not enforce Part 806 reporting of corrections and removals, and a voluntary recall does not ensue because of the proactive measures that the company has already taken."