Chris Harrold,vice president of quality and regulatory, Medtronic Cardiac Rhythm and Heart Failure, has issued the following notification concerning CareLink 2090 Proggrammer and CareLink Encore 29901 Programmer:
Medtronic is writing to inform you of a modification we are making to improve cybersecurity of device programmers by changing how the programmers are updated with new software. Currently, the Medtronic CareLink™ 2090 and CareLink Encore™ 29901 programmers receive new software from one of two routes: using the USB port or using a network connection via the Software Distribution Network, or SDN. The SDN is a worldwide network that allows the download of new or updated software to the CareLink 2090 and CareLink Encore 29901 Programmers via the internet. Beginning October 11th, 2018, Medtronic will be disabling the SDN for programmer updates and will rely solely on the USB update method. If you currently use the USB updating process, there will be no change to your workflow.
Ad Statistics
Times Displayed: 6173
Times Visited: 20 Brand-New FDA-cleared Advanced Ultrasound Medical Device available for sale or lease to Wound Care Centers or any other Medical Facilities.The Arobella 1000D is designed for non-contact or debridement ultrasound wound healing therapy, or any other wounds
Vulnerabilities have been identified in the SDN download process that may allow an individual with malicious intent to update the programmers with non-Medtronic software during an SDN download. To date, Medtronic has received zero (0) reports to indicate that such an issue has occurred. Medtronic issued an initial security bulletin in February 2018 with an update in June 2018 which can be found at www.medtronic.com/security.
However, further review of these vulnerabilities with the FDA and external researchers led to the conclusion that the process for updating software through the SDN may introduce risks that, if not fully mitigated, could result in harm to a patient depending on the extent and intent of a malicious cyberattack and the patient’s underlying condition. To date, neither such an attack nor resultant patient harm has been observed.
The programmers are safe to use by following these recommendations. Medtronic provides the following recommendations related to CareLink 2090 and CareLink Encore 29901 programmers:
Continue to use the programmers for programming, testing and evaluation of cardiovascular implantable electronic devices (CIED) patients. Network connectivity is not required for normal CIED programming and similar operation.
Other Medtronic-provided features that require network connections are not impacted by these vulnerabilities (e.g. SessionSync™). You may continue to use such features.
Do not attempt to update the programmer via the SDN. If you select the “Install from Medtronic” button, it will not result in software installation because access to the external SDN is no longer available. See Appendix A.
