Implantable cardiac devices made by Medtronic have cybersecurity vulnerabilities, according to a safety communication from the Food and Drug Administration. That said, so far the FDA is unaware of any reports of harm related to these vulnerabilities, and the agency still advises doctors and patients to continue using the devices as intended and in accordance with device labeling.
The Conexus wireless telemetry protocol used with Medtronic’s implantable cardioverter defibrillators and cardiac resynchronization therapy defibrillators, as well as with certain models of Medtronic’s CareLink Programmer and the MyCareLink Monitor, lacks encryption, authentication, or authorization, which leaves the devices open to exploitation. Such exploitation “could allow unauthorized individuals ... to access and potentially manipulate an implantable device, home monitor, or clinic programmer,” the agency said in its safety communication.
The FDA provides several recommendations in the safety communication, including obtaining these devices “directly from the manufacturer to ensure integrity of the system” and operating “the programmers within well-managed networks.”