The Food and Drug Administration (FDA) has confirmed that cybersecurity vulnerabilities associated with Medtronic cardiac implantable electrophysiology devices (CIEDs) could allow unauthorized users to change the programmer’s functionality or the implanted device during the device implantation procedure or during follow-up visits.
Specifically, the vulnerability is associated with using an internet connection to update software between the Medtronic CareLink and CareLink Encore Programmers (models 2090 and 29901) and the Medtronic Software Distribution Network (SDN).
Programmers allow physicians to obtain device performance data, check battery status, and adjust or reprogram device settings from a CIED; when necessary, they are also used by Medtronic staff to update software in the implanted device. Following its review, the FDA has approved an update by Medtronic to intentionally block the currently existing programmer from accessing the Medtronic SDN.
The Agency explained in a statement that, “[a]s such, attempting to update the programmer through the internet by selecting the ‘Install from Medtronic’ button on the programmer will result in error messages such as ‘Unable to connect to local network’ or ‘Unable to connect to Medtronic.'”
Healthcare providers are advised that reprogramming or updating CIEDs is not required, and prophylactic CIED replacement is not recommended. The FDA recommends that providers continue to use the Programmers for programming, testing and evaluating CIED patients; future programmer software updates must be received directly from a Medtronic representative with a USB update.
To date, there are no known reports of patient harm related to these cybersecurity vulnerabilities. The FDA asks that any suspected problem with these devices be promptly reported to MedWatch.
For more information visit FDA.org.