Cybersecurity Vulnerabilities Affecting Medtronic Implantable Cardiac Devices, Programmers, and Home Monitors: FDA Safety Communication
March 21, 2019
- Patients with a Medtronic cardiac implantable cardioverter defibrillators (ICDs) or cardiac resynchronization therapy defibrillators (CRT-Ds)
- Caregivers of patients with a Medtronic ICD or CRT-D
- Cardiologists, electrophysiologists, cardiac surgeons, and primary care physicians treating or managing patients with heart failure or heart rhythm problems using a Medtronic ICD or CRT-D
Cardiac Electrophysiology, Cardiology, Cardiothoracic Surgery, Heart Failure
The U.S. Food and Drug Administration (FDA) is issuing this safety communication to alert health care providers and patients about cybersecurity vulnerabilities identified in a wireless telemetry technology used for communication between Medtronic’s implantable cardiac devices, clinic programmers, and home monitors. The FDA recommends that health care providers and patients continue to use these devices as intended and follow device labeling.
Although the system’s overall design features help safeguard patients, Medtronic is developing updates to further mitigate these cybersecurity vulnerabilities. To date, the FDA is not aware of any reports of patient harm related to these cybersecurity vulnerabilities.
This communication does NOT apply to any pacemakers, cardiac resynchronization pacemakers (CRT-Ps), CareLink Express monitors, or the CareLink Encore Programmer (model 29901).
Medtronic’s implantable cardioverter defibrillators (ICDs) and cardiac resynchronization therapy defibrillators (CRT-Ds) are devices that provide pacing for slow heart rhythms and electrical shocks or pacing to stop dangerously fast heart rhythms.
ICDs and CRT-Ds are implanted under the skin in the upper chest area with connecting insulated wires called leads that go into the heart. A patient may need an ICD or CRT-D if their heartbeat is too slow (bradycardia), too fast (tachycardia), or needs coordination to treat heart failure. The Medtronic CareLink Programmer (model 2090) is used during the implantation and regular follow-up visits for Medtronic ICDs and CRT-Ds.
The MyCareLink Monitor (models 24950 and 24952) is used to wirelessly connect to the patient's implanted cardiac device and read the data stored on the device. The transmitter, located in the patient's home, sends the patient's data to his or her physician(s) by the CareLink Network using a continuous landline, cellular, or wireless (wi-fi) Internet connection.
Affected Medtronic ICD and CRT-D device models include:
- Amplia MRI CRT-D, all models
- Claria MRI CRT-D, all models
- Compia MRI CRT-D, all models
- Concerto CRT-D, all models
- Concerto II CRT-D, all models
- Consulta CRT-D, all models
- Evera MRI ICD, all models
- Evera ICD, all models
- Maximo II CRT-D and ICD, all models
- Mirro MRI ICD, all models
- Nayamed ND ICD, all models
- Primo MRI ICD, all models
- Protecta CRT-D and ICD, all models
- Secura ICD, all models
- Virtuoso ICD, all models
- Virtuoso II ICD, all models
- Visia AF MRI ICD, all models
- Visia AF ICD, all models
- Viva CRT-D, all models
Affected Medtronic Programmer and Monitors models include:
- CareLink 2090 Programmer
- MyCareLink Monitor, models 24950 and 24952
- CareLink Monitor, Model 2490C
Summary of Problem and Scope
The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with the use of the Conexus wireless telemetry protocol which is used as part of the communication method between Medtronic’s ICDs, CRT-Ds, clinic programmers, and home monitors.
The Conexus wireless telemetry protocol uses wireless radio frequency (RF) to enable communication between the devices and allows Medtronic programmers and monitoring accessories to do one or more of the following:
- Remotely transmit data from a patient’s implanted cardiac device to a specified health care clinic (remote monitoring), including important operational and safety notifications;
- Allow clinicians to display and print device information in real-time; and
- Allow clinicians to program implanted device settings.
The Conexus wireless telemetry protocol has cybersecurity vulnerabilities because it does not use encryption, authentication, or authorization. The FDA has confirmed that these vulnerabilities, if exploited, could allow an unauthorized individual (for example, someone other than the patient’s physician) to access and potentially manipulate an implantable device, home monitor, or clinic programmer.
Medtronic is working to create and implement additional security updates to address these cybersecurity vulnerabilities beyond safety features in the current design as described in Medtronic’s security bulletin. For example, the safety features in the current design include: the protocol can be activated only by the patient’s health care provider at a clinic, activation times vary by patient, and an unauthorized user would need to be close to an active device, monitor or clinic programmer to take advantage of these vulnerabilities. For more information see Medtronic’s Security Bulletin.
Recommendations for Health Care Providers
- Continue to use the CareLink programmers for programming, testing and evaluation of ICD and CRT-D patients. There is no programmable setting that allows a clinician to turn off the Conexus wireless capabilities in the affected devices.
- Maintain control of CareLink programmers within your facility at all times according to your hospital Information Technology (IT) policies.
- Use only home monitors, programmers, and implantable devices obtained directly from the manufacturer to ensure integrity of the system.
- Remind patients to keep their home monitors plugged in:
- The benefits of remote wireless monitoring of an implantable device outweigh the practical risk of an unauthorized user exploitating of these devices’ vulnerabilities.
- The monitor must remain powered on to ensure timely transmission of any wireless CareAlerts programmed by the physician, and to ensure automatically-scheduled remote transmissions occur at the specified time.
- Operate the programmers within well-managed IT networks. Consult with your IT department regarding the security of your network. For recommended actions to better secure your computer network environment, refer to https://www.nist.gov/cyberframework.
- Reprogramming or updating the affected devices is not required at this time.
- Prophylactic ICD or CRT-D replacement is not recommended and should not be performed to solely address this vulnerabilities.
- As with any connected medical device and especially implanted life-supporting or life-sustaining devices, discuss the risk of cybersecurity vulnerabilities with your patients prior to implanting ICDs and CRT-Ds, along with other device risks and benefits, and take advantage of the latest software updates and improvements to devices.
Recommendations for Patients and Caregivers
To date, the FDA is not aware of any reports of patient harm related to these cybersecurity vulnerabilities.
The FDA recommends that patients and caregivers take the following actions:
- Use only remote monitors obtained directly from your healthcare provider or the manufacturer to ensure integrity of the system.
- Continue to keep the remote monitor plugged in at all times to ensure any wireless CareAlerts programmed by your health care provider and any automatically-scheduled remote transmissions occur in a timely manner.
- Keep track of your remote monitor.
- Get medical help right away if you feel lightheaded, dizzy, lose consciousness, or have chest pain or severe shortness of breath.
- Contact Medtronic Technical Services Monday through Friday 7am – 6pm central time at 855-275-2717 for additional information, or if you have any questions regarding the vulnerabilities.
The FDA is working with Medtronic while they create and implement additional security updates to address these cybersecurity vulnerabilities and improve patient safety and will inform the public as new information is available.
The FDA urges manufacturers everywhere to remain vigilant about their products — companies should take steps to monitor and assess cybersecurity vulnerability risk, and be proactive about disclosing vulnerabilities and mitigations to address them. This is part of the FDA’s overall effort to collaborate with manufacturers and health care delivery organizations—as well as security researchers and other government agencies—to develop and implement solutions to address cybersecurity issues throughout a device’s total product lifecycle. The FDA issued recommendations to manufacturers for continued monitoring, reporting, and remediation of medical device cybersecurity vulnerabilities.
The FDA reminds patients, patient caregivers, and health care providers that any medical device connected to a communications network (for example: wi-fi, public or home Internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users. However, the increased use of wireless technology and software in medical devices can also offer safer, more convenient, and timely health care delivery.
Reporting Problems to the FDA
Prompt reporting of adverse events can help the FDA identify and better understand the risks related to the use of medical devices. If you suspect or experience a problem with these devices, we encourage you to file a voluntary report through MedWatch, the FDA Safety Information and Adverse Event Reporting program. Health care personnel employed by facilities that are subject to the FDA's user facility reporting requirements should follow the reporting procedures established by their facilities.
- Medtronic Security Bulletin
- ICS-CERT Advisory
- FDA’s Safety Communication issued in October 2018 about a software update to address cybersecurity vulnerabilities related to Medtronic’s Cardiac Device Programmers
If you have questions about this communication, please contact the Division of Industry and Consumer Education at DICE@FDA.HHS.GOV, 800-638-2041 or 301-796-7100.