Medtronic disables pacemaker programmer updates over hack concern

NEW YORK (Reuters) - Medical device maker Medtronic Plc has disabled internet updates for some 34,000 CareLink programming devices that healthcare providers around the world use to access implanted pacemakers, saying the system was vulnerable to cyber attacks.

FILE PHOTO: Massachusetts Institute of Technology researcher and graduate student Haitham Al-Hassanieh holds one of the Medtronic heart defibrillators he successfully hacked, at MIT in Cambridge, Massachusetts October 10, 2014. REUTERS/Brian Snyder/File Photo

The company, in a letter sent to physicians this week, said it knows of no cases where the vulnerability was exploited by hackers. The letter was labelled “urgent medical device correction.”

The vulnerability “could result in harm to a patient depending on the extent and intent of a malicious cyberattack and the patient’s underlying condition,” according to the letter, which was seen by Reuters on Thursday.

Pacemakers and implantable defibrillators are small devices placed in the chest that use electronic pulses to control abnormal heart rhythms in patients with arrhythmias.

The U.S. Food and Drug Administration issued a safety notice describing the vulnerability, saying it reviewed the matter and approved of Medtronic’s decision to disable the internet updates.

The agency urged healthcare providers to continue to use the CareLink programs, but advised them not to attempt to update the software over the internet. It said that patients do not need to take any action to mitigate the vulnerability.

Medical device makers have bolstered efforts to mitigate product security vulnerabilities in recent years following a flurry of warnings from security researchers who have identified bugs in devices like the Medtronic implant programmers.

There have been no documented reports of attacks on medical devices, though researchers warn the industry is far behind the computer industry in protecting devices from hackers.

Medtronic in August issued an alert on the issue with its CareLink programmers after researchers discussed the vulnerability at the Black Hat hacking conference. Medical device security experts said they had uncovered a bug that could enable hackers to update malicious software onto the programmers, then attack implanted pacemakers.

Pacemakers and implantable defibrillators are small devices placed in the chest that use electronic pulses to control abnormal heart rhythms in patients with arrhythmias.

Medtronic kept the network updates running until recently, saying it had increased security controls and boosted monitoring for potential malicious activity.

The vulnerability affects the internet-based platform for updating some 34,000 CareLink 2090 and CareLink Encore 29901 programmers that healthcare providers around the globe use to program implanted pacemakers, according to Medtronic.

The company said in the letter that it was is working to develop security updates “that will further address these vulnerabilities and will be implemented pending regulatory agency approvals.”

In the meantime, the programmers can still be manually updated using a USB connection, it said.

Reporting by Jim Finkle in New York; Editing by Bill Berkrot and Leslie Adler