FDA Warns of Cyber Concerns With Implantable Pacemakers

Megan Brooks

October 12, 2018

Hacking concerns have prompted Medtronic to disable internet updates for its CareLink 2090 and CareLink Encore 29901 device programmers, according a safety alert from the US Food and Drug Administration (FDA).

The programmers allow providers to access Medtronic cardiac implantable electrophysiology devices (CIEDs), which include pacemakers and implantable defibrillators, cardiac resynchronization devices, and implantable cardiac monitors.

Until now, the Medtronic CareLink 2090 and CareLink Encore 29901 programmers received new software updates one of two ways: the USB port or a network connection via the Software Distribution Network (SDN). The SDN is a worldwide network that allows the download of new or updated software to the CareLink 2090 and CareLink Encore 29901 programmers over the internet.

On October 11, Medtronic disabled the SDN for programmer updates and said it will rely solely on USB updates.

Medtronic issued an initial security notice in February, with an update in June.

"However, further review of these vulnerabilities with the FDA and external researchers led to the conclusion that the process for updating software through the SDN may introduce risks that, if not fully mitigated, could result in harm to a patient depending on the extent and intent of a malicious cyberattack and the patient's underlying condition," Medtronic said in the letter.

To date, the company said it has not observed or received a report of an attack or patient harm related to these cybersecurity vulnerabilities.

"As of October 11, when software updates are needed, a Medtronic representative will manually update, via a secured USB, all CareLink 2090 and Encore 29901 programmers," the company said in a statement emailed to the heart.org | Medscape Cardiology.

"Importantly, this action does not require updates to patients' implanted devices. Physicians should continue to use the programmers for programming, testing, and evaluating implanted cardiac devices," they said.

This safety communication demonstrates a "shared cybersecurity responsibility among government entities, cybersecurity researchers, and industry to protect patient safety," Suzanne Schwartz, MD, associate director for science and strategic partnerships at the FDA's Center for Devices and Radiological Health, said in an FDA statement.

"The FDA values the important work of cybersecurity researchers in helping the agency and manufacturers identify and address potential cyber threats. While we are not aware of patients who may have been harmed by this particular cyber vulnerability, the risk to patient harm of leaving such a vulnerability unaddressed is too great. The safety communication issued today contains recommendations for what actions health care providers should do to update the device and reduce the risk this vulnerability could pose.

"The FDA is committed to protecting patient safety by working with all stakeholders to develop and implement solutions to address cybersecurity issues throughout a product's total lifecycle," Schwartz added.

The FDA recommends that healthcare providers take the following action:

  • Continue to use the programmers for programming, testing, and evaluation of CIED patients. Network connectivity is not required for normal CIED programming or similar operations.

  • Other Medtronic-provided features that require network connections are not affected by these vulnerabilities (e.g., SessionSync), so such features can continue to be used.

  • Do not attempt to update the programmer through the SDN. If the "Install from Medtronic" button is selected, it will not result in software installation because access to the external SDN is no longer available.

  • Future programmer software updates must be received directly from a Medtronic representative with a USB update.

  • Maintain control of programmers within your facility at all times according to your hospital's IT policies.

  • Operate the programmers within well-managed IT networks. Consult your IT department regarding the security of your network. For recommended actions to better secure your computer network environment, refer to the National Institute of Standards and Technology cybersecurity framework or other applicable cybersecurity guidance'

  • Reprogramming or updating of CIEDs is not required as a result of this correction and prophylactic CIED replacement is not recommended.

Questions regarding this announcement can be directed to Medtronic Technical Services at 800-638-1991.

"At Medtronic, patient safety is our top priority," the company added. "Medtronic takes the security of our products seriously, and we continue to proactively minimize and mitigate cybersecurity vulnerabilities during premarket-development and post-market use."


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.