The FDA issued a Safety Communication on March 21, 2019 entitled “Cybersecurity Vulnerabilities Affecting Medtronic Implantable Cardiac Devices, Programmers, and Home Monitors” “to alert health care providers and patients about cybersecurity vulnerabilities identified in a wireless telemetry technology used for communication between Medtronic’s implantable cardiac devices, clinic programmers, and home monitors.”
Medtronic’s implantable cardioverter defibrillators (ICDs) and cardiac resynchronization therapy defibrillators (CRT-Ds) are devices that provide pacing for slow heart rhythms and electrical shocks or pacing to stop dangerously fast heart rhythms.
ICDs and CRT-Ds are implanted under the skin in the upper chest area with connecting insulated wires called leads that go into the heart. A patient may need an ICD or CRT-D if their heartbeat is too slow (bradycardia), too fast (tachycardia), or needs coordination to treat heart failure. The Medtronic CareLink Programmer (model 2090) is used during the implantation and regular follow-up visits for Medtronic ICDs and CRT-Ds.
The MyCareLink Monitor (models 24950 and 24952) is used to wirelessly connect to the patient’s implanted cardiac device and read the data stored on the device. The transmitter, located in the patient’s home, sends the patient’s data to his or her physician(s) by the CareLink Network using a continuous landline, cellular, or wireless (wi-fi) Internet connection.
The Potential Cybersecurity Vulnerabilities
The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with the use of the Conexus wireless telemetry protocol which is used as part of the communication method between Medtronic’s ICDs, CRT-Ds, clinic programmers, and home monitors.
The Conexus wireless telemetry protocol uses wireless radio frequency (RF) to enable communication between the devices and allows Medtronic programmers and monitoring accessories to do one or more of the following:
– Remotely transmit data from a patient’s implanted cardiac device to a specified health care clinic (remote monitoring), including important operational and safety notifications;
– Allow clinicians to display and print device information in real-time; and
– Allow clinicians to program implanted device settings.
The Conexus wireless telemetry protocol has cybersecurity vulnerabilities because it does not use encryption, authentication, or authorization. The FDA has confirmed that these vulnerabilities, if exploited, could allow an unauthorized individual (for example, someone other than the patient’s physician) to access and potentially manipulate an implantable device, home monitor, or clinic programmer.
To date, the FDA is not aware of any reports of patient harm related to these cybersecurity vulnerabilities. The FDA recommends that health care providers and patients continue to use these devices as intended and follow device labeling.
If you or a loved one suffered harm due to a defective medical device or implant, such as implantable cardiac devices, in the United States, you should promptly consult with a medical device claim lawyer in your U.S. state who may investigate your defective medical device claim for you and represent you or your loved one in a medical device claim, if appropriate.
Visit our website or call us toll-free in the United State at 800-295-3959 to find medical device lawyers in your state who may assist you.
Turn to us when you don’t know where to turn.