In an open letter posted on their website last week, Medtronic announced intent to disable internet update capability for CareLink programming devices associated with the company’s implantable defibrillators. The change impacted 34,000 devices worldwide, according to Reuters.
In making the announcement, Medtronic acknowledged cybersecurity flaws were the motivation behind the shutdown of internet accessibility. Although Medtronic previously downplayed the problem, cybersecurity experts have been calling for a response to vulnerabilities when the programming devices receive updates through the Software Distribution Network (SDN). The problems were identified in a 2017 report by WhiteScope, a security services firm.
“Vulnerabilities have been identified in the SDN download process that may allow an individual with malicious intent to update the programmers with non-Medtronic software during an SDN download,” the Medtronic letter states.
Medtronic also emphasizes that there have no reported incidents of hacking and all patients have been consistently free from harm.
The internet updates are disabled in the CareLink 2090 and CareLink Encore 29901 devices. Updates can still be performed using the devices’ USB ports.
“We sincerely regret any difficulties this may cause you and your patients,” the letter concludes. “Medtronic remains dedicated to patient safety and will continue to monitor system performance to ensure we meet your needs and those of your patients.”