FDA News

Software update issued for cybersecurity vulnerabilities in Medtronic devices

The FDA issued a safety communication that Medtronic will issue a software update to resolve cybersecurity vulnerabilities associated with two programmers used to implant cardiac implantable electrophysiology devices in patients with HF or arrhythmia disorders.

The internet connection between the two programmers (CareLink and CareLink Encore models 2090 and 29901, Medtronic) had vulnerabilities when software was downloaded from a network (Software Distribution Network, Medtronic), according to the safety communication from the FDA. The FDA confirmed that the vulnerabilities may allow someone other than the patient’s physician to change the functionality of the programmer or the device.

The programmers are used during cardiac implantable electrophysiology device implantation and regular follow-up visits for patients who have received implantable defibrillators, pacemakers, insertable cardiac monitors and cardiac resynchronization devices, according to the FDA alert. Physicians use the programmers to obtain data from the device, adjust or reprogram settings and check battery status, in addition to updating software in the device, which can be downloaded through internet connection or by a company representative.

The FDA approved an update to the company’s network that blocks the programmers from accessing it, according to the safety communication. There are no further updates to the programmers, and there are no known cases of patient harm related to the issue. The company is currently working on additional security updates for these vulnerabilities.

Health care providers are recommended to continue to use the programmers, as network connectivity is not required for normal cardiac implantable electrophysiology device programming. The software distribution network should not be used to update the programmers, and they should be maintained according to hospitals’ IT policies, according to the safety communication.

In addition, the alert advised that prophylactic device replacement or reprogramming is not recommended.

Anyone suspecting an adverse event or other problem related to this issue should report it using the FDA’s MedWatch program, according to the alert.

The FDA issued a safety communication that Medtronic will issue a software update to resolve cybersecurity vulnerabilities associated with two programmers used to implant cardiac implantable electrophysiology devices in patients with HF or arrhythmia disorders.

The internet connection between the two programmers (CareLink and CareLink Encore models 2090 and 29901, Medtronic) had vulnerabilities when software was downloaded from a network (Software Distribution Network, Medtronic), according to the safety communication from the FDA. The FDA confirmed that the vulnerabilities may allow someone other than the patient’s physician to change the functionality of the programmer or the device.

The programmers are used during cardiac implantable electrophysiology device implantation and regular follow-up visits for patients who have received implantable defibrillators, pacemakers, insertable cardiac monitors and cardiac resynchronization devices, according to the FDA alert. Physicians use the programmers to obtain data from the device, adjust or reprogram settings and check battery status, in addition to updating software in the device, which can be downloaded through internet connection or by a company representative.

The FDA approved an update to the company’s network that blocks the programmers from accessing it, according to the safety communication. There are no further updates to the programmers, and there are no known cases of patient harm related to the issue. The company is currently working on additional security updates for these vulnerabilities.

Health care providers are recommended to continue to use the programmers, as network connectivity is not required for normal cardiac implantable electrophysiology device programming. The software distribution network should not be used to update the programmers, and they should be maintained according to hospitals’ IT policies, according to the safety communication.

In addition, the alert advised that prophylactic device replacement or reprogramming is not recommended.

Anyone suspecting an adverse event or other problem related to this issue should report it using the FDA’s MedWatch program, according to the alert.