Medtronic is working on new updates to mitigate the vulnerabilities. Credit: Medtronic plc.

The US Food and Drug Administration (FDA) has detected cybersecurity vulnerabilities in Medtronic’s implantable cardiac devices, clinic programmers and home monitors.

The issues were found in Conexus telemetry technology, which uses wireless radio frequency (RF) channels to enable Medtronic programmers and monitoring accessories to remotely transfer data from a patient’s cardiac device to a specific healthcare clinic.

Go deeper with GlobalData

Go deeper with GlobalData

The gold standard of business intelligence.

Find out more

Discover B2B Marketing That Performs

Combine business intelligence and editorial excellence to reach engaged professionals across 36 leading media platforms.

Find out more

Clinicians use the technology to display and print device information in real-time and programme implanted device settings.

Transmitted data is not encrypted and does not require authentication or authorisation. This could be exploited to enable an unauthorised individual to access and alter the devices.

The FDA’s alert covers cardiac implantable cardioverter defibrillators (ICD) or cardiac resynchronisation therapy defibrillators (CRT-D) but does not include pacemakers, cardiac resynchronisation pacemakers (CRT-P), CareLink Express monitors or the CareLink Encore Programmer.

“The FDA recommends that healthcare providers and patients continue to use these devices as intended and follow device labelling.”

The US regulator advised healthcare providers and patients to continue using the devices while Medtronic works on new updates to mitigate the vulnerabilities.

GlobalData Strategic Intelligence

US Tariffs are shifting - will you react or anticipate?

Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.

By GlobalData

A statement from the FDA read: “The FDA recommends that healthcare providers and patients continue to use these devices as intended and follow device labelling.

“Although the system’s overall design features help safeguard patients, Medtronic is developing updates to further mitigate these cybersecurity vulnerabilities.”

The agency added that no reports have been received regarding any harm to patients due to these cybersecurity issues.

In October last year, Medtronic disabled online updates for some of its CareLink and CareLink Encore programmers, as they were found to be vulnerable to cybersecurity attacks.

The programmers facilitate access to the company’s cardiac implantable electrophysiology devices (CIED), including pacemakers and defibrillators.

Medical Device Network Excellence Awards - Nominations Closed

Nominations are now closed for the Medical Device Network Excellence Awards. A big thanks to all the organisations that entered – your response has been outstanding, showcasing exceptional innovation, leadership, and impact

Excellence in Action
HemoSonics has won the 2025 Marketing Award for its impactful promotion of theQuantra Hemostasis System and leadership in blood management education. See how targeted campaigns, thought leadership content, and hands on clinician training are accelerating Quantra’s market traction and shaping the future of hemostasis testing.

Discover the Impact