Vulnerabilities in Medtronic Implantable Cardiac Device Programmers and the Fix

The U.S. Food and Drug Administration (FDA) released an advise about the vulnerabilities of a number of Medtronic implantable cardiac device programmers that hackers can potentially exploit enabling them to alter the programmer’s functionality when used for implantation or follow-up treatments. Currently, there are approximately 34,000 vulnerable programmers in use.

Medical professionals employ these programmers for obtaining performance data, knowing battery status, and reprogramming configurations on the Medtronic cardiac implantable electrophysiology devices (CIEDs) such as insertable cardiac monitors, implantable defibrillators, cardiac resynchronization devices, and pacemakers.

The vulnerabilities found in Medtronic CareLink Encore 29901 and CareLink 2090 programmers only affect devices that use the web to connect to the Medtronic Software Distribution Network (SDN). The internet connection is necessary to download updates of the programmer software program and the Medtronic CIEDs’ firmware.

When utilizing a virtual private network (VPN) to make a connection between the programmers and the Medtronic SDN, there’s no confirmation test to know if the programmer stays hooked up to the VPN before downloading software updates. At this stage, hackers could grab the opportunity to put in the updates they want and alter the device’s function.

Security researchers Jonathan Butts and Billy Rios found out about the programmers’ vulnerabilities last year. They told Medtronic about the flaws however the company responded slowly to the problem. In February 2018, an advisory was released concerning this problem yet the action to fix the vulnerability was done just recently.

The programmers’ network to the SDA Medtronic is currently blocked by Medtronic so it’s impossible to get software updates. Trying to link to the SDN for updates will just display an error message – for example “Unable to connect to Medtronic” or “Unable to connect to local network.” The programmers’ update is only possible by contacting Medtronic which does it by USB connection.

The FDA assessed these cybersecurity vulnerabilities and said that hackers can certainly exploit the vulnerabilities to harm patients. Therefore, on October 5, 2018, the FDA approved Medtronic’s move to block the connection to the Medtronic SDN so programmers are unable to get network update. Even so, programmers are still functional for CIED patient programming, tests and review but without connecting to the internet.

As of today, no report has been received by the FDA and Medtronic concerning the exploitation of the vulnerabilities or patient complaints resulting from the programmers’ flaws.

About Christine Garcia 1304 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at