URGENT MEDICAL DEVICE CORRECTION
Software Distribution Network & Associated Programmers
| Product Name |
Model Number |
|---|---|
| CareLink™ 2090 Programmer |
2090; All Serial Numbers |
| CareLink Encore™ 29901 Programmer |
29901; All Serial Numbers |
Update: January 30, 2020
Vulnerabilities have been mitigated and external access to the SDN has been reenabled. It is now acceptable to update Medtronic programmers via the SDN.
To date, no cyberattack, privacy breach, or patient harm has been observed or associated with these vulnerabilities.
October 2018
Dear Risk Manager or Healthcare Professional:
Medtronic is writing to inform you of a modification we are making to improve cybersecurity of device programmers by changing how the programmers are updated with new software. Currently, the Medtronic CareLink™ 2090 and CareLink Encore™ 29901 programmers receive new software from one of two routes: using the USB port or using a network connection via the Software Distribution Network, or SDN. The SDN is a worldwide network that allows the download of new or updated software to the CareLink 2090 and CareLink Encore 29901 Programmers via the internet. Beginning October 11th, 2018, Medtronic will be disabling the SDN for programmer updates and will rely solely on the USB update method. If you currently use the USB updating process, there will be no change to your workflow.
Vulnerabilities have been identified in the SDN download process that may allow an individual with malicious intent to update the programmers with non-Medtronic software during an SDN download. To date, Medtronic has received zero (0) reports to indicate that such an issue has occurred. Medtronic issued an initial security bulletin in February 2018 with an update in June 2018 which can be found at www.medtronic.com/security. However, further review of these vulnerabilities with the FDA and external researchers led to the conclusion that the process for updating software through the SDN may introduce risks that, if not fully mitigated, could result in harm to a patient depending on the extent and intent of a malicious cyberattack and the patient’s underlying condition. To date, neither such an attack nor resultant patient harm has been observed.
The programmers are safe to use by following these recommendations. Medtronic provides the following recommendations related to CareLink 2090 and CareLink Encore 29901 programmers:
- Continue to use the programmers for programming, testing and evaluation of cardiovascular implantable electronic devices (CIED) patients. Network connectivity is not required for normal CIED programming and similar operation.
- Other Medtronic-provided features that require network connections are not impacted by these vulnerabilities (e.g. SessionSync™). You may continue to use such features.
- Do not attempt to update the programmer via the SDN. If you select the “Install from Medtronic” button, it will not result in software installation because access to the external SDN is no longer available. See Appendix A.
- Future programmer software updates must be received directly from a Medtronic representative.
- Maintain control of programmers within your facility at all times according to your facility’s IT policies.
- Medtronic recommends customers operate the programmers within well managed IT networks. Consult with your IT department regarding the security of your network. For recommended actions to better secure your computer network environment, refer to https://www.nist.gov/cyberframework or other cybersecurity guidance.
- Reprogramming or updating of CIED is not required as a result of this correction and prophylactic CIED replacement is not recommended and should not be performed.
Questions regarding the above recommendations should be directed to Medtronic Technical Services at 800-638-1991.
Medtronic is working to implement security updates for the programmers that will further address these vulnerabilities and will be implemented pending regulatory agency approvals. We will inform you as they become available. This notice must be passed to all those who need to be aware within your organization or to any organization where programmers have been transferred. Medtronic will notify all applicable regulatory agencies about this matter.
Adverse reactions or quality problems experienced with the use of a programmer may be reported to the FDA's MedWatch Adverse Event Reporting program either online, by regular mail or by fax.
- Complete and submit the report Online: www.fda.gov/medwatch/report.htm.
- Regular Mail or Fax: Download form www.fda.gov/MedWatch/getforms.htm or call 1-800-332-1088 to request a reporting form, then complete and return to the address on the pre-addressed form, or submit by fax to 1-800-FDA-0178.
We sincerely regret any difficulties this may cause you and your patients. Medtronic remains dedicated to patient safety and will continue to monitor system performance to ensure we meet your needs and those of your patients.
Sincerely,
Chris Harrold
Vice President, Quality and Regulatory
Medtronic Cardiac Rhythm and Heart Failure
Appendix A: Programmer Software Screen
Do not attempt to update the programmer via the SDN. If you select the “Install from Medtronic” button, it will result in an unsuccessful installation of software because access to the external SDN is no longer available.
Several messages may be observed if installation of software from the SDN is attempted (e.g. “Install from Medtronic…”). See images below for example as to what will appear on the programmer display during the installation attempt. Below the larger “Please Wait” message will be a smaller window with a <connection status message> displayed; refer to highlighted area below. The connection status messages may alternate between “Connecting…”, “Searching for Network…”, “Logging in…”, “Unable to connect to local network”, and “Unable to connect to Medtronic”. Since the SDN is no longer available, the user should select “Cancel” to terminate the installation attempt.
If the user cycles power on the programmer without first cancelling the installation attempt, upon power-up a count-down window will appear on the screen for approximately 30 seconds with “Yes” and “No” buttons. The user should select “No” to terminate the installation attempt and return to the Model Select screen. If the user selects “Yes” or does not respond prior to the 30-second time out, the programmer will attempt the installation again, and the process described above will repeat until the user either selects “Cancel” or selects “No” during the count-down window.
