FDA issues alert on cybersecurity vulnerabilities in Medtronic devices

The US Food and Drug Administration (FDA) has detected cybersecurity vulnerabilities in Medtronic’s implantable cardiac devices, clinic programmers and home monitors.

The issues were found in Conexus telemetry technology, which uses wireless radio frequency (RF) channels to enable Medtronic programmers and monitoring accessories to remotely transfer data from a patient’s cardiac device to a specific healthcare clinic.

Clinicians use the technology to display and print device information in real-time and programme implanted device settings.

Transmitted data is not encrypted and does not require authentication or authorisation. This could be exploited to enable an unauthorised individual to access and alter the devices.

The FDA’s alert covers cardiac implantable cardioverter defibrillators (ICD) or cardiac resynchronisation therapy defibrillators (CRT-D) but does not include pacemakers, cardiac resynchronisation pacemakers (CRT-P), CareLink Express monitors or the CareLink Encore Programmer.

The US regulator advised healthcare providers and patients to continue using the devices while Medtronic works on new updates to mitigate the vulnerabilities.

A statement from the FDA read: “The FDA recommends that healthcare providers and patients continue to use these devices as intended and follow device labelling.

“Although the system’s overall design features help safeguard patients, Medtronic is developing updates to further mitigate these cybersecurity vulnerabilities.”

The agency added that no reports have been received regarding any harm to patients due to these cybersecurity issues.

In October last year, Medtronic disabled online updates for some of its CareLink and CareLink Encore programmers, as they were found to be vulnerable to cybersecurity attacks.

The programmers facilitate access to the company’s cardiac implantable electrophysiology devices (CIED), including pacemakers and defibrillators.