Medtronic has disabled online updates for its CareLink and CareLink Encore programmers, models 2090 and 29901, because they were found to be vulnerable to cybersecurity attacks.

The programmers allow healthcare providers to access the Medtronic cardiac implantable electrophysiology devices (CIEDs), which include pacemakers and defibrillators, among others.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Physicians can use the programmers to get device performance data, check battery status and adjust or reprogram device settings from a CIED.

“In a safety notice, the US Food and Drug Administration (FDA) said that it reviewed the vulnerabilities and found opportunities for unauthorised users to access the programmer or the implanted device.”

Software for these programmers can be downloaded and updated via an internet connection to the Medtronic Software Distribution Network (SDN) or by a Medtronic representative who uses a universal serial bus device (USB).

Medtronic revealed in a security bulletin that researchers from WhiteScope detected vulnerabilities in the CareLink 2090 and CareLink Encore 29901 programmers, and associated SDN.

The company said: “If not mitigated, these vulnerabilities could result in potential harm to a patient.” However, Medtronic noted that it did not receive any report of such an attack or patient harm, so far.

In a safety notice issued by the US Food and Drug Administration (FDA), the agency said that it reviewed the vulnerabilities and found opportunities for an unauthorised user to access the programmer or the implanted device.

To address these concerns and improve cybersecurity, Medtronic has disabled access to the SDN. The medical device firm plans to send its representative to carry out manual updates, when required.

Medtronic added: “Medtronic is working on additional security updates for the impacted programmers and the SDN update process. We will implement these updates following regulatory agency approvals.”

Both the FDA and the company recommended healthcare providers to continue using the CareLink programmes but advised against updating the software over the internet.

The agency further added that patients or caregivers need not take any actions in association with this software update or cybersecurity vulnerability.