This article is more than 5 years old. Information may no longer be current.

FDA: Potential cybersecurity vulnerabilities in Medtronic ICDs, CRTs

Add topic to email alerts

Receive an email when new articles are posted on

Please provide your email address to receive an email when new articles are posted on .

Subscribe

Added to email alerts

You've successfully added to your alerts. You will receive an email when new content is published.

Click Here to Manage Email Alerts

You've successfully added to your alerts. You will receive an email when new content is published.

Click Here to Manage Email Alerts

Back to Healio

We were unable to process your request. Please try again later. If you continue to have this issue please contact customerservice@slackinc.com.

Back to Healio

The FDA has issued a safety communication regarding cybersecurity vulnerabilities in the wireless telemetry technology in several implantable cardioverter defibrillators and cardiac resynchronization therapy defibrillators by Medtronic to treat patients with arrythmia disorders and HF.

The wireless telemetry protocol (Conexus) used to communicate between devices, monitors and programmers has cybersecurity vulnerabilities as it does not use authentication, encryption or authorization, which may allow someone who is not authorized to review the data to manipulate the device, monitor or programmer, according to a safety communication from the FDA.

This wireless telemetry protocol is used to communicate between devices by wireless radio frequency. Through this process, data are remotely transmitted to health care clinics for clinicians to review in real time and to program implanted device settings, according to the safety communication.

Affected devices include those that use a programmer (CareLink Programmer) during implantation and follow-up. These devices also use a monitoring system (MyCareLink Monitor) that wirelessly connected to the implanted device to obtain data, which is then transmitted through a network to a physician, according to the safety communication.

There have been no reports of patient harm associated with the cybersecurity vulnerabilities, according to the safety communication. Health care providers and patients are recommended to continue using these devices.

In addition, health care providers should maintain control of programmers within their facility based on information technology policies and to operate them within secure IT networks. Patients should be reminded that the benefits of using these devices, monitors and programmers outweigh the risk and that the monitor should be on at all times for timely data transmission. Health care providers do not need to reprogram or update the devices at this time nor replace any prophylactic ICD or CRT devices, according to the safety communication.

The FDA has issued a safety communication regarding cybersecurity vulnerabilities in the wireless telemetry technology in several implantable cardioverter defibrillators and cardiac resynchronization therapy defibrillators by Medtronic to treat patients with arrythmia disorders and HF.

Source: Adobe Stock

Medtronic is currently working with the FDA to create and implement security updates to address these concerns, according to the safety communication.

“The FDA urges manufacturers everywhere to remain vigilant about their products — companies should take steps to monitor and assess cybersecurity vulnerability risk and be proactive about disclosing vulnerabilities and mitigations to address them,” according to the safety communication. “This is part of the FDA’s overall effort to collaborate with manufacturers and health care delivery organizations — as well as security researchers and other government agencies — to develop and implement solutions to address cybersecurity issues throughout a device’s total product lifecycle.”

Devices, programmers and monitors with cybersecurity vulnerabilities can be found on the FDA website.