1. You are here:
  2. Homepage
  3. News & Insights Search
  4. FDA Warns of Cyber Vulnerability in Medtronic Implantable Cardiac Devices

rf-fullcolor.png

 

Regulatory News
October 12, 2018
by Zachary Brennan

FDA Warns of Cyber Vulnerability in Medtronic Implantable Cardiac Devices

The US Food and Drug Administration (FDA) on Thursday issued a safety communication to alert of cybersecurity vulnerabilities for Medtronic cardiac implantable electrophysiology devices (CIED).

Although to date there are no known reports of patient harm related to these cybersecurity vulnerabilities, Medtronic is issuing a software update to address a safety risk associated with the internet connection between the Carelink 2090 and Carelink Encore 29901 Programmers used to download software from the Medtronic Software Distribution Network (SDN). 

The programmer software can be downloaded and updated either through an internet connection to the Medtronic Software Distribution Network (SDN) or by a Medtronic representative plugging a universal serial bus device (USB) into the programmer.

FDA said it “has confirmed that these vulnerabilities could allow an unauthorized user (that is, someone other than the patient's physician) to change the programmer's functionality or the implanted device during the device implantation procedure or during follow-up visits.”

And although the programmer uses a virtual private network (VPN) for connecting with the Medtronic SDN, FDA said the “vulnerability identified with this connection is that the programmers do not verify that they are still connected to the VPN prior to downloading updates.”

To address this vulnerability, FDA earlier this month approved Medtronic's update to its network, and it will now “intentionally block the currently existing programmer from accessing the Medtronic SDN.”

FDA has warned of and dealt with other cyber vulnerabilities in the past.

FDA and the Department of Homeland Security (DHS) in January 2017 issued an advisory warning of cybersecurity vulnerabilities found in St. Jude Medical's Merlin@home wireless transmitter that could affect the company's line of implantable cardiac devices. Abbott in August 2017 also voluntarily recalled about 465,000 pacemakers to install a firmware update to patch cybersecurity vulnerabilities in the devices.

The warnings come as the Department of Health and Human Services’ Office of the Inspector General is calling on FDA to further integrate cybersecurity into its review processes for medical devices, which the agency agreed with. For its part, FDA has said recently it would update 2014 guidance on cybersecurity.
 
Return to listing
×

Welcome to the new RAPS Digital Experience

We have completed our migration to a new platform and are pleased to introduce the updated site.

What to expect: If you have an existing login, please RESET YOUR PASSWORD before signing in. After you log in for the first time, you will be prompted to confirm your profile preferences, which will be used to personalize content.

We encourage you to explore the new website and visit your updated My RAPS page. If you need assistance, please review our FAQ page.

We welcome your feedback. Please let us know how we can continue to improve your experience.