FDA Safety Communication about Cybersecurity Vulnerabilities Affecting Medtronic Implantable Cardiac Devices, Programmers and Home Monitors
The U.S. Food and Drug Administration (FDA) has issued a safety communication to alert health care providers and patients about cybersecurity vulnerabilities identified in a wireless telemetry technology used for communication between Medtronic’s implantable cardiac devices, clinic programmers, and home monitors. The FDA recommends that health care providers and patients continue to use these devices as intended and follow device labeling.
Although the system’s overall design features help safeguard patients, Medtronic is developing updates to further mitigate these cybersecurity vulnerabilities. To date, the FDA is not aware of any reports of patient harm related to these cybersecurity vulnerabilities.
This communication does NOT apply to any pacemakers, cardiac resynchronization pacemakers (CRT-Ps), CareLink Express monitors, or the CareLink Encore Programmer (model 29901).
The Conexus wireless telemetry protocol uses wireless radio frequency (RF) to enable communication between the devices and allows Medtronic programmers and monitoring accessories to do one or more of the following:
- Remotely transmit data from a patient’s implanted cardiac device to a specified health care clinic (remote monitoring), including important operational and safety notifications;
- Allow clinicians to display and print device information in real-time; and
- Allow clinicians to program implanted device settings.
The Conexus wireless telemetry protocol has cybersecurity vulnerabilities because it does not use encryption, authentication, or authorization. The FDA has confirmed that these vulnerabilities, if exploited, could allow an unauthorized individual (for example, someone other than the patient’s physician) to access and potentially manipulate an implantable device, home monitor, or clinic programmer.
Medtronic is working to create and implement additional security updates to address these cybersecurity vulnerabilities beyond safety features in the current design as described in Medtronic’s security bulletin, follow the link below for more details.
Recommendations for Health Care Providers
- Continue to use the CareLink programmers for programming, testing and evaluation of ICD and CRT-D patients. There is no programmable setting that allows a clinician to turn off the Conexus wireless capabilities in the affected devices.
- Maintain control of CareLink programmers within your facility at all times according to your hospital Information Technology (IT) policies.
- Use only home monitors, programmers, and implantable devices obtained directly from the manufacturer to ensure integrity of the system.
- Remind patients to keep their home monitors plugged in:
- The benefits of remote wireless monitoring of an implantable device outweigh the practical risk of an unauthorized user exploiting the devices’ vulnerabilities.
- The monitor must remain powered on to ensure timely transmission of any wireless CareAlerts programmed by the physician, and to ensure automatically-scheduled remote transmissions occur at the specified time.
- Operate the programmers within well-managed IT networks. Consult with your IT department regarding the security of your network. For recommended actions to better secure your computer network environment, refer to https://www.nist.gov/cyberframework.
- Reprogramming or updating the affected devices is not required at this time.
- Prophylactic ICD or CRT-D replacement is not recommended and should not be performed to solely address these vulnerabilities.
- As with any connected medical device and especially implanted life-supporting or life-sustaining devices, discuss the risk of cybersecurity vulnerabilities with your patients prior to implanting ICDs and CRT-Ds, along with other device risks and benefits, and take advantage of the latest software updates and improvements to devices.
The FDA’s safety communication also includes recommendations for patients and caregivers. Follow the link below for additional information.
Want to read the full alert and receive alert emails?