This article is more than 5 years old. Information may no longer be current.

Software update issued for cybersecurity vulnerabilities in Medtronic devices

Add topic to email alerts

Receive an email when new articles are posted on

Please provide your email address to receive an email when new articles are posted on .

Subscribe

Added to email alerts

You've successfully added to your alerts. You will receive an email when new content is published.

Click Here to Manage Email Alerts

You've successfully added to your alerts. You will receive an email when new content is published.

Click Here to Manage Email Alerts

Back to Healio

We were unable to process your request. Please try again later. If you continue to have this issue please contact customerservice@slackinc.com.

Back to Healio

The FDA issued a safety communication that Medtronic will issue a software update to resolve cybersecurity vulnerabilities associated with two programmers used to implant cardiac implantable electrophysiology devices in patients with HF or arrhythmia disorders.

The internet connection between the two programmers (CareLink and CareLink Encore models 2090 and 29901, Medtronic) had vulnerabilities when software was downloaded from a network (Software Distribution Network, Medtronic), according to the safety communication from the FDA. The FDA confirmed that the vulnerabilities may allow someone other than the patient’s physician to change the functionality of the programmer or the device.

The programmers are used during cardiac implantable electrophysiology device implantation and regular follow-up visits for patients who have received implantable defibrillators, pacemakers, insertable cardiac monitors and cardiac resynchronization devices, according to the FDA alert. Physicians use the programmers to obtain data from the device, adjust or reprogram settings and check battery status, in addition to updating software in the device, which can be downloaded through internet connection or by a company representative.

The FDA approved an update to the company’s network that blocks the programmers from accessing it, according to the safety communication. There are no further updates to the programmers, and there are no known cases of patient harm related to the issue. The company is currently working on additional security updates for these vulnerabilities.

Health care providers are recommended to continue to use the programmers, as network connectivity is not required for normal cardiac implantable electrophysiology device programming. The software distribution network should not be used to update the programmers, and they should be maintained according to hospitals’ IT policies, according to the safety communication.

In addition, the alert advised that prophylactic device replacement or reprogramming is not recommended.

Anyone suspecting an adverse event or other problem related to this issue should report it using the FDA’s MedWatch program, according to the alert.