The U.S. Food and Drug Administration (FDA) issued a safety communication to alert healthcare providers and patients about cybersecurity vulnerabilities identified in a wireless telemetry technology used for communication between Medtronic’s implantable cardiac devices, clinic programmers, and home monitors. FDA recommends that healthcare providers and patients continue to use these devices as intended and follow device labeling.

Although the system’s overall design features help safeguard patients, FDA says that Medtronic is developing updates to further mitigate these cybersecurity vulnerabilities. To date, the FDA is not aware of any reports of patient harm related to these cybersecurity vulnerabilities.

FDA reviewed information concerning potential cybersecurity vulnerabilities associated with the use of Medtronic's Conexus wireless telemetry protocol, which is used as part of the communication method between Medtronic’s ICDs, CRT-Ds, clinic programmers, and home monitors.

The Conexus wireless telemetry protocol uses wireless radio frequency (RF) to enable communication between the devices and allows Medtronic programmers and monitoring accessories to do one or more of the following:

  • Remotely transmit data from a patient’s implanted cardiac device to a specified health care clinic (remote monitoring), including important operational and safety notifications;
  • Allow clinicians to display and print device information in real-time; and
  • Allow clinicians to program implanted device settings.

According to FDA, the Conexus wireless telemetry protocol has cybersecurity vulnerabilities because it does not use encryption, authentication, or authorization. FDA has confirmed that these vulnerabilities, if exploited, could allow an unauthorized individual (for example, someone other than the patient’s physician) to access and potentially manipulate an implantable device, home monitor, or clinic programmer.

Read FDA's full safety communication here and read Medtronic's security bulletin here.