Medtronic Heart Implants, Other Wireless Devices, Have Serious Cybersecurity Flaws, FDA Warns

Federal health officials are warning that hackers could change the settings for certain Medtronic implantable cardioverter defibrillators (ICD) and other medical devices, indicating that cybersecurity flaws may expose patients to serious risks.

In a safety communication issued on March 21, the FDA warns about vulnerabilities with Medtronic ICDs or cardiac resynchronization therapy defibrillators (CRT-Ds), after discovering the wireless telemetry system used to communicate and alter the implanted devices could be hacked due to a lack of security protocols.

The warning impacts at least 22 different models of Medtronic defibrillators, which are designed to provide pacing for slow heart rhythms and electrical shocks or pacing to stop dangerously fast heart rhythms.

The devices are implanted under the skin of a patient in the upper chest area, with connecting insulated leads that go into the heart to monitor and deliver pacing therapy. The devices are connected to a transmitter located in a patient’s home, which sends the heart rate data to a physician through the CareLink Network, using either a continuous landline, cellular or wireless internet connection.

FDA officials warn that the wireless telemetry system, Conexus, which uses radio frequency to enable communication between the implanted devices and monitoring equipment, does not use encryption, authentication, or authorization protocols to connect to the devices. This could leave patients vulnerable to someone hacking the network, the agency warns.

Due to the lack of cyber security protocols, if the device was to be exploited, someone could disrupt the transmission of data from the implanted device to the monitoring equipment, prevent clinicians from seeing activity in real-time, and could alter any of the implanted device’s settings, the warning indicates.

While the FDA continues to work with Medtronic implement additional security updates, the agency recommends patients and physicians only use remote monitors obtained directly from healthcare providers or the manufacturer, keep track of the remote monitors, and make certain any automatically scheduled remote transmissions occur in a timely manner.

At this time, patients are being instructed to continue using their implanted devices and CareLink monitoring systems, as failing to do so could be life-threatening. Physicians are also being encouraged to discuss the potential cybersecurity vulnerabilities with patients needing implanted Medtronic devices. If a patient begins to feel lightheaded, dizzy, lose consciousness, chest pains or severe shortness of breath they should seek medical care immediately.

Patients or physicians with additional questions regarding the warning announcement are encouraged to contact Medtronic Technical Services at 855-275-2717 to discuss the potential vulnerabilities.

This is not the first time Medtronic implants were linked to cybersecurity concerns. In October 2018, Medtronic issued an Urgent Medical Device Correction to physicians, notifying them that more than 34,000 implantable pacemakers were vulnerable to hacking. Medtronic disconnected the devices from internet access for software updates as a result.

The correction came after Medtronic discovered the CareLink 2090 Programmer and the CareLink Encore 29901 Programmer could be susceptible to hacking, which could potentially allow someone to gain control over the device and change electronic pulse functions or give false readings.