October 11, 2018
“Today’s safety communication is a demonstration of shared cybersecurity responsibility among government entities, cybersecurity researchers and industry to protect patient safety,” said Suzanne Schwartz, M.D., associate director for science and strategic partnerships at the FDA’s Center for Devices and Radiological Health. “The FDA values the important work of cybersecurity researchers in helping the agency and manufacturers identify and address potential cyber threats. While we are not aware of patients who may have been harmed by this particular cyber vulnerability, the risk to patient harm of leaving such a vulnerability unaddressed is too great. The safety communication issued today contains recommendations for what actions health care providers should do to update the device and reduce the risk this vulnerability could pose. The FDA is committed to protecting patient safety by working with all stakeholders to develop and implement solutions to address cybersecurity issues throughout a product’s total lifecycle.”
Today, the U.S. Food and Drug Administration issued a safety communication regarding cybersecurity vulnerabilities in two models of Medtronic programmers, specifically Carelink and Carelink Encore, used with cardiac implantable electrophysiology devices, which include pacemakers, implantable defibrillators, cardiac resynchronization devices and implantable cardiac monitors.
Medtronic’s device programmers allow providers to gather data from the implantable cardiac devices, such as performance data and battery status, and adjust the device settings. The agency has reviewed information regarding cybersecurity vulnerabilities associated with the programmers, specifically, this cybersecurity vulnerability is associated with using an internet connection to connect the programmers to Medtronic’s software distribution network, which allows providers to download software updates. The FDA confirmed that when the programmers are connected to an internet connection, the connection to the Medtronic network could be exploited and allow an unauthorized user (i.e., someone other than the patient’s provider) to alter the programmer to change the programmer’s functionality or the implanted device during the device implantation procedure or during follow-up visits. At this time, the agency is not aware of reports of patient harm related to these cybersecurity vulnerabilities.
In addition to the safety communication, today, the FDA approved a software update from Medtronic to reduce the risk that the current vulnerability could be exploited. The software update will allow providers to continue using the programmers without connecting to the internet. The FDA considers this corrective action by the company to be a voluntary recall. More information for patients, caregivers and providers can be found in the safety communication and in Medtronic’s communication about the issue.
The FDA, an agency within the U.S. Department of Health and Human Services, protects the public health by assuring the safety, effectiveness, and security of human and veterinary drugs, vaccines and other biological products for human use, and medical devices. The agency also is responsible for the safety and security of our nation’s food supply, cosmetics, dietary supplements, products that give off electronic radiation, and for regulating tobacco products.