FDA Issues Cybersecurity Alert for Implantable Cardiac Devices

The FDA flagged cybersecurity vulnerabilities in wireless communications between certain Medtronic implantable cardiac devices, clinic programmers and home monitors—and said it’s working with the company to fix the problem.

The Conexus wireless telemetry protocol that allows clinicians to program the implantable cardioverter defibrillators (ICDs) and cardiac resynchronization therapy defibrillators (CRT-Ds) does not use encryption, authentication or authorization, which means that unauthorized individuals could potentially manipulate an implantable device, home monitor, or clinic programmer, the agency said.

The FDA urged manufacturers to assess their products’ cybersecurity risks and to be proactive about disclosing vulnerabilities and what they’re doing about them.