Medtronic Heart Implants, Other Wireless Devices, Have Serious Cybersecurity Flaws, FDA Warns

Federal health officials are warning that hackers could change the settings for certain Medtronic implantable cardioverter defibrillators (ICD) and other medical devices, indicating that cybersecurity flaws may expose patients to serious risks.

In a safety communication issued on March 21, the FDA warns about vulnerabilities with Medtronic ICDs or cardiac resynchronization therapy defibrillators (CRT-Ds), after discovering the wireless telemetry system used to communicate and alter the implanted devices could be hacked due to a lack of security protocols.

The warning impacts at least 22 different models of Medtronic defibrillators, which are designed to provide pacing for slow heart rhythms and electrical shocks or pacing to stop dangerously fast heart rhythms.

Hair-Dye-Cancer-Lawsuits
Hair-Dye-Cancer-Lawsuits

The devices are implanted under the skin of a patient in the upper chest area, with connecting insulated leads that go into the heart to monitor and deliver pacing therapy. The devices are connected to a transmitter located in a patient’s home, which sends the heart rate data to a physician through the CareLink Network, using either a continuous landline, cellular or wireless internet connection.

FDA officials warn that the wireless telemetry system, Conexus, which uses radio frequency to enable communication between the implanted devices and monitoring equipment, does not use encryption, authentication, or authorization protocols to connect to the devices. This could leave patients vulnerable to someone hacking the network, the agency warns.

Due to the lack of cyber security protocols, if the device was to be exploited, someone could disrupt the transmission of data from the implanted device to the monitoring equipment, prevent clinicians from seeing activity in real-time, and could alter any of the implanted device’s settings, the warning indicates.

While the FDA continues to work with Medtronic implement additional security updates, the agency recommends patients and physicians only use remote monitors obtained directly from healthcare providers or the manufacturer, keep track of the remote monitors, and make certain any automatically scheduled remote transmissions occur in a timely manner.

At this time, patients are being instructed to continue using their implanted devices and CareLink monitoring systems, as failing to do so could be life-threatening. Physicians are also being encouraged to discuss the potential cybersecurity vulnerabilities with patients needing implanted Medtronic devices. If a patient begins to feel lightheaded, dizzy, lose consciousness, chest pains or severe shortness of breath they should seek medical care immediately.

Patients or physicians with additional questions regarding the warning announcement are encouraged to contact Medtronic Technical Services at 855-275-2717 to discuss the potential vulnerabilities.

This is not the first time Medtronic implants were linked to cybersecurity concerns. In October 2018, Medtronic issued an Urgent Medical Device Correction to physicians, notifying them that more than 34,000 implantable pacemakers were vulnerable to hacking. Medtronic disconnected the devices from internet access for software updates as a result.

The correction came after Medtronic discovered the CareLink 2090 Programmer and the CareLink Encore 29901 Programmer could be susceptible to hacking, which could potentially allow someone to gain control over the device and change electronic pulse functions or give false readings.


1 Comments


  1. William

    My husband has this defibrillator and monitor base at home. He has had several episodes with it


Share Your Comments

This field is hidden when viewing the form
I authorize the above comments be posted on this page
Post Comment
Weekly Digest Opt-In

Want your comments reviewed by a lawyer?

To have an attorney review your comments and contact you about a potential case, provide your contact information below. This will not be published.

NOTE: Providing information for review by an attorney does not form an attorney-client relationship.

This field is for validation purposes and should be left unchanged.

MORE TOP STORIES

Women pursuing Depo-Provera meningioma lawsuits will have to provide documentary proof of their diagnosis and the versions of the birth control shot they received within 120 days of filing their case.
An Indiana woman has filed a Cartiva SCI implant lawsuit, indicating that the toe implant failed due to a defective design, resulting in the need for revision surgery and recommendations to permanently fuse her big toe.
Two California hair stylists filed separate lawsuits, indicating that repeated occupational exposure to toxic chemicals in hair coloring dyes caused them to develop bladder cancer.