Week Seven
Hello! Welcome to this week's Ryan Report. Today, I will discuss the safety alert released this week by the FDA for Medtronic implantable cardiac device programmers.
Interestingly, this is only the thirteenth safety alert issued by the FDA in 2018 for medical devices, and the first as a result of cybersecurity considerations. The relative lack of cybersecurity capabilities of medical devices is well known in the healthcare security community, but perhaps this is the first instance of the year in which cyber vulnerabilities pose a realistic patient safety risk.
The Medtronic programmers are used during implantation and regular follow-up visits for Medtronic implantable electrophysiology devices (CIEDs). CIEDs include pacemakers, implantable defibrillators, cardiac resynchronization devices, and insertable cardiac monitors. Physicians use the programmers to obtain device performance data, check battery status, and adjust device settings. Updates for the programmer are downloaded from Medtronic's Software Distribution Network or by USB connection to the programmer.
In the safety alert, the FDA confirms that vulnerabilities exist that could allow an unauthorized user to change the programmer's functionality by compromising the software update download process from the SDN. To address the vulnerability, the FDA has approved Medtronic's update to the SDN which will prevent the programmers in question from connecting to the SDN. The programmers will continue to be able to receive updates by USB connection.
This vulnerability represented a potentially serious threat to patient safety, and I applaud the FDA for this action. Further, Medtronic took responsibility for this vulnerability and from my perspective, cooperated fully with the FDA during the coordinated disclosure and remediation process. Other medical device manufacturers should take note and proactively disclose known vulnerabilities to affected parties (patients, healthcare organizations, FDA, etc.) as soon as possible.
Interestingly, this is only the thirteenth safety alert issued by the FDA in 2018 for medical devices, and the first as a result of cybersecurity considerations. The relative lack of cybersecurity capabilities of medical devices is well known in the healthcare security community, but perhaps this is the first instance of the year in which cyber vulnerabilities pose a realistic patient safety risk.
The Medtronic programmers are used during implantation and regular follow-up visits for Medtronic implantable electrophysiology devices (CIEDs). CIEDs include pacemakers, implantable defibrillators, cardiac resynchronization devices, and insertable cardiac monitors. Physicians use the programmers to obtain device performance data, check battery status, and adjust device settings. Updates for the programmer are downloaded from Medtronic's Software Distribution Network or by USB connection to the programmer.
In the safety alert, the FDA confirms that vulnerabilities exist that could allow an unauthorized user to change the programmer's functionality by compromising the software update download process from the SDN. To address the vulnerability, the FDA has approved Medtronic's update to the SDN which will prevent the programmers in question from connecting to the SDN. The programmers will continue to be able to receive updates by USB connection.
This vulnerability represented a potentially serious threat to patient safety, and I applaud the FDA for this action. Further, Medtronic took responsibility for this vulnerability and from my perspective, cooperated fully with the FDA during the coordinated disclosure and remediation process. Other medical device manufacturers should take note and proactively disclose known vulnerabilities to affected parties (patients, healthcare organizations, FDA, etc.) as soon as possible.
Comments
Post a Comment