FDA Warns of Cybersecurity Vulnerabilities in Medtronic ICD, CRT-D Telemetry Systems

March 22, 2019

The US Food and Drug Administration (FDA) has issued a safety alert regarding cybersecurity vulnerabilities in telemetry systems in certain Medtronic lines of CareLink programmers and monitors used with many of its defibrillator implant systems.

The vulnerabilities, stemming from a lack of "encryption, authentication, or authorization," were discovered in the Conexus wireless telemetry protocol that allows communication between the implanted devices, home monitors, and clinic-based providers, the agency says.

"The FDA has confirmed that these vulnerabilities, if exploited, could allow an unauthorized individual to access and potentially manipulate an implantable device, home monitor, or clinic programmer," its announcement states.

Such exploitation of the vulnerabilities would require use of a radiofrequency device designed for the Conexus protocol and the user to "have adjacent short-range access to the affected products," among other restrictions, notes a US Department of Homeland Security (DHS) statement on the safety alert.

Affected Medtronic programmers include the CareLink 2090; affected monitors include MyCareLink models 24950 and 24952 and CareLink model 2490C.

Generators covered by the alert include Virtuoso, Evera, and other lines of implantable cardioverter defibrillators (ICDs), and cardiac resynchronization therapy (CRT) devices with ICD capability (CRT-D), including Concerto and Maximo models. Both the FDA and DHS announcements contain a more extensive list.

The alert does not apply to any of the company's pacemaker-only devices, such as CRT devices without ICD capability, nor to CareLink Express monitors or the CareLink Encore Programmer model 29901, the agency says.

"To date, the FDA is not aware of any reports of patient harm related to these cybersecurity vulnerabilities."

Device reprogramming or software updates are currently "not required" and prophylactic device replacement "is not recommended and should not be performed" to address the vulnerability problem alone.

The agency "recommends that healthcare providers and patients continue to use these devices as intended and follow device labeling," and says Medtronic is working on security updates to address the problem.

Cybersecurity Vulnerabilities Affecting Medtronic Implantable Cardiac Devices, Programmers, and Home Monitors: FDA Safety Communication. Published March 21, 2019.

Medical Advisory (ICSMA-19-080-01) Medtronic Conexus Radio Frequency Telemetry Protocol. Original release date: March 21, 2019.

Follow Steve Stiles on Twitter: @SteveStiles2. For more from theheart.org | Medscape Cardiology, follow us on Twitter and Facebook.



Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.
Post as: