By Jim Finkle
NEW YORK (Reuters) – Medical device maker Medtronic Plc has disabled internet updates for some 34,000 CareLink programming devices that healthcare providers around the world use to access implanted pacemakers, saying the system was vulnerable to cyber attacks.
The company said it knows of no cases where the vulnerability had been exploited by hackers in a letter sent to physicians this week, which was labeled “urgent medical device correction.”
The vulnerability “could result in harm to a patient depending on the extent and intent of a malicious cyberattack and the patient’s underlying condition,” according to the letter, which was seen by Reuters on Thursday.
Medical device makers have bolstered efforts to identify and mitigate security vulnerabilities in their products in recent years in response to a flurry of warnings from security researchers, who have identified bugs in devices like the Medtronic implant programmers.
There have been no documented reports of attacks on medical devices, though researchers warn the industry is far behind the computer industry in protecting devices from hackers.
Medtronic in August issued a security bulletin on the issue with its CareLink programmers after researchers discussed the vulnerability at the Black Hat hacking conference in Las Vegas. Medical device security experts said they had uncovered a bug that could enable hackers to update malicious software onto the programmers, then attack implanted pacemakers.
Pacemakers and implantable defibrillators are small devices placed in the chest that use electronic pulses to control abnormal heart rhythms in patients with arrhythmias.
Medtronic kept the network updates running until recently, saying it had increased security controls and boosted monitoring for potential malicious activity.
The vulnerability affects the internet-based platform for updating some 34,000 CareLink 2090 and CareLink Encore 29901 programmers that healthcare providers around the globe use to program implanted pacemakers, according to Medtronic.
The company said in the letter that it was is working to develop security updates “that will further address these vulnerabilities and will be implemented pending regulatory agency approvals.”
In the meantime, the programmers can still be manually updated using a USB connection, the letter said.
(Reporting by Jim Finkle in New York; Editing by Bill Berkrot)