The U.S. Food and Drug Administration (FDA) has issued an alert regarding cybersecurity vulnerabilities in two models of Medtronic programmers (CareLink and CareLink Encore, models 2090 and 29901) used during implantation and regular follow-up visits for patients with Medtronic cardiac implantable electrophysiology devices (CIEDs), including pacemakers, implantable defibrillators, cardiac resynchronization devices and insertable cardiac monitors.

Medtronic's device programmers allow clinicians to gather data from implanted devices, such as performance data and battery status, and to adjust settings. According to the FDA, when the programmers are connected to the internet for software updates, a connection to Medtronic's network could be exploited and allow an unauthorized user to change the functions of the implanted device.

As part of the safety alert, the FDA noted that Medtronic has issued a software update to reduce the risk of exploitation of the vulnerability in the Carelink and Carelink Encore products. The update will intentionally block the currently existing programmer from accessing the Medtronic SDN. In addition, Medtronic is working to create and implement additional security updates to further address these vulnerabilities.

To date, there are no known reports of patient harm related to these cybersecurity vulnerabilities. The FDA notes that clinicians should continue to use the programmers for programming, testing and evaluation of CIED patients. Additionally, other Medtronic-provided features that require network connections are not impacted by these vulnerabilities (e.g., SessionSync™). Reprogramming or updating of CIEDs is not required as a result of this correction and prophylactic CIED replacement is not recommended. Patients should contact their clinicians with any questions.

On the IT front, the alert also urges clinicians not to attempt to update the programmers through the SDN and that programmers within facilities should be controlled according to hospital's IT policies at all times. Tips for securing computer network environments can be found at nist.gov/cyberframework. Future programmer software updates must be received directly from a Medtronic representative with a USB update.

Click here for communication recommendations to assist health care professionals in understanding and preparing for potential cybersecurity vulnerabilities of CIEDs released earlier this year from the Heart Rhythm Society.

Clinical Topics: Arrhythmias and Clinical EP, Heart Failure and Cardiomyopathies, Implantable Devices, SCD/Ventricular Arrhythmias, Atrial Fibrillation/Supraventricular Arrhythmias

Keywords: ACC Publications, Cardiology Interventions, Health Policy, Defibrillators, Implantable, Patient Harm, Follow-Up Studies, Follow-Up Studies, Cardiac Resynchronization Therapy, Cardiac Resynchronization Therapy Devices, United States Food and Drug Administration, Cardiac Electrophysiology, Computer Security, Internet

< Back to Listings