Medtronic PLC, a Dublin-based medical device company, disabled internet updates for two models of its CareLink devices after the company sent a letter to physicians warning them of the devices' vulnerabilities to cyberattacks.
The letter states that Medtronic has not received a report that any attack or patient harm has taken place but warned that an attack "could result in harm to a patient depending on the extent and intent of a malicious cyberattack and the patient's underlying condition."
The two CareLink models are computer systems used to monitor cardiac medical devices and store data from the device, according to the company's website. The CareLink models were found to be vulnerable to attack during software updates, which can be done through an internet connection or a secured USB drive.
The letter states that security alerts regarding the pacemaker programmers were issued in February and June. According to a spokesperson for Medtronic, the company further reviewed the safety of the two models with the U.S. Food and Drug Administration and disabled internet updates Oct. 11.
The Medtronic spokesperson also said the concerns are just with the computer systems and that patients do not need to update any implanted medical devices.
As healthcare-related cyberattacks on devices has increased, protecting devices has become an area of increasing concern for the industry and government agencies that oversee devices.
FDA Commissioner Scott Gottlieb recently addressed concerns regarding patient safety and medical–device security during the announcement of new FDA cybersecurity initiatives. Gottlieb said the FDA is not aware of any attacks on medical devices but "the risk of such an attack persists."
The FDA, which oversees the medical device industry and is responsible for ensuring that certain products it reviews are able to defend against cybersecurity threats, released a cybersecurity playbook as part of Gottlieb's remarks. The playbook outlines an emergency response plan for healthcare providers to use in the case of a medical-device cyberattack.
While protection of patients' safety is a concern when it comes to medical device security, directly impacting the medical device is not the only reason that hackers target them.
A study from ZingBox Inc., an internet security company, found that medical devices were leaking information about their networks. Devices can be remotely connected to a hospital's network and hackers can get information like usernames and passwords by monitoring the networks through the devices, according to the study.