FDA Warns of Cybersecurity Vulnerabilities With Some Medtronic Implanted Devices

The US Food and Drug Administration has issued a safety communication warning doctors and patients about cybersecurity vulnerabilities in several of Medtronic’s products, including implantable cardioverter-defibrillators (ICDs) and combination cardiac resynchronization therapy-defibrillators (CRT-Ds), that rely on wireless telemetry.

The wireless telemetry protocol, which is used to transmit patient data from the implanted cardiac device to Medtronic clinic programmers and home monitors, is vulnerable because it does not use “encryption, authentication, or authorization,” according to the agency.

“The FDA has confirmed that these vulnerabilities, if exploited, could allow an unauthorized individual (for example, someone other than the patient’s physician) to access and potentially manipulate an implantable device, home monitor, or clinic programmer,” it stated in the safety communication.

The cybersecurity warning affects several ICD and CRT-D devices, the CareLink 2090 Programmer, which is used during implantation and to wirelessly interrogate devices during follow-up visits, and the MyCareLink (models 24950 and 24952) and CareLink (model 2490C) home monitors. The vulnerable wireless telemetry protocol affected by the safety communication is not used in Medtronic pacemakers.

To date, there have been no reports of patient harm related to the vulnerabilities, according to the FDA. The agency recommends physicians continue to use the CareLink programmer and patients keep their home monitors plugged in to ensure any wireless alerts and scheduled remote transmissions occur in a timely manner.

“The benefits of remote wireless monitoring of an implantable device outweigh the practical risk of an unauthorized user exploiting these devices’ vulnerabilities,” states the FDA. The agency stresses that reprogramming or updating the affected devices is not required at this time, nor is prophylactic ICD or CRT-D replacement recommended.

Medtronic also issued a safety bulletin warning physicians and patients about the cybersecurity issues, and stated it is working with the FDA to address the vulnerabilities. The agency and Medtronic will inform the public when new information is available. In its bulletin, Medtronic added that to take advantage of the cybersecurity lapse, unauthorized individuals would need to be close to the product (within 20 feet) and have detailed knowledge of the devices and electrophysiology. Also, outside of the clinic, activation of the wireless transmission varies and is difficult to predict for an unauthorized user,  the company said.