FDA safety communication: Cybersecurity vulnerabilities for Medtronic devices
The Food and Drug Administration (FDA) is issuing this safety communication to alert healthcare providers and patients about cybersecurity vulnerabilities identified in a wireless telemetry technology used for communication between Medtronic’s implantable cardiac devices, clinic programmers, and home monitors. The FDA recommends that healthcare providers and patients continue to use these devices as intended and follow device labeling.
Although the system’s overall design features help safeguard patients, Medtronic is developing updates to further mitigate these cybersecurity vulnerabilities. To date, the FDA is not aware of any reports of patient harm related to these cybersecurity vulnerabilities. This communication does NOT apply to any pacemakers, cardiac resynchronization pacemakers (CRT-Ps), CareLink Express monitors, or the CareLink Encore Programmer (model 29901).
Medtronic’s implantable cardioverter defibrillators (ICDs) and cardiac resynchronization therapy defibrillators (CRT-Ds) are devices that provide pacing for slow heart rhythms and electrical shocks or pacing to stop dangerously fast heart rhythms.
The MyCareLink Monitor (models 24950 and 24952) is used to wirelessly connect to the patient's implanted cardiac device and read the data stored on the device. The transmitter, located in the patient's home, sends the patient's data to his or her physician(s) by the CareLink Network using a continuous landline, cellular, or wireless (wi-fi) Internet connection.
Affected Medtronic ICD and CRT-D device models include: Amplia MRI CRT-D, all models, Claria MRI CRT-D, all models, Compia MRI CRT-D, all models, Concerto CRT-D, all models, Concerto II CRT-D, all models, Consulta CRT-D, all models, Evera MRI ICD, all models, Evera ICD, all models, Maximo II CRT-D and ICD, all models, Mirro MRI ICD, all models, Nayamed ND ICD, all models, Primo MRI ICD, all models, Protecta CRT-D and ICD, all models, Secura ICD, all models, Virtuoso ICD, all models, Virtuoso II ICD, all models, Visia AF MRI ICD, all models, Visia AF ICD, all models, and Viva CRT-D, all models.
Affected Medtronic Programmer and Monitors models include: CareLink 2090 Programmer MyCareLink Monitor, models 24950 and 24952, and CareLink Monitor, Model 2490C.
The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with the use of the Conexus wireless telemetry protocol which is used as part of the communication method between Medtronic’s ICDs, CRT-Ds, clinic programmers, and home monitors. The Conexus wireless telemetry protocol uses wireless radio frequency (RF) to enable communication between the devices and allows Medtronic programmers and monitoring accessories to do one or more of the following:
- Remotely transmit data from a patient’s implanted cardiac device to a specified healthcare clinic (remote monitoring), including important operational and safety notifications;
- Allow clinicians to display and print device information in real-time; and
- Allow clinicians to program implanted device settings.
The Conexus wireless telemetry protocol has cybersecurity vulnerabilities because it does not use encryption, authentication, or authorization. The FDA has confirmed that these vulnerabilities, if exploited, could allow an unauthorized individual (for example, someone other than the patient’s physician) to access and potentially manipulate an implantable device, home monitor, or clinic programmer.
Medtronic is working to create and implement additional security updates to address these cybersecurity vulnerabilities beyond safety features in the current design as described in Medtronic’s security bulletin. For example, the safety features in the current design include: the protocol can be activated only by the patient’s healthcare provider at a clinic, activation times vary by patient, and an unauthorized user would need to be close to an active device, monitor or clinic programmer to take advantage of these vulnerabilities. For more information see Medtronic’s Security Bulletin.
