BIOTRONIK Statement on CardioMessenger II Cybersecurity
CardioMessenger devices form an essential part of BIOTRONIK’s remote monitoring system, enabling the secure transmission of critical patient and device data to the treating physician. As the company that pioneered remote monitoring, we have taken cybersecurity design seriously since 2001. It is integrated into our quality management system, all relevant business processes and prioritized at every step of the product life cycle.
Our cardiac implants do not accept programming modifications or commands via any form of long-distance communication. By design, it is technically impossible to transmit commands to our implants remotely which obviates the potential of reprogramming the patient's device and doing direct harm to the patient.
In October 2019, researchers at SINTEF provided a report to BIOTRONIK describing potential cybersecurity concerns associated with CardioMessenger II devices which are no longer available on the market. We would like to reassure patients, healthcare providers and physicians that these devices are safe and can continue to be used as intended.
As a result of the SINTEF report, we initiated a comprehensive analysis which determined that the cybersecurity questions raised did not have an impact on patient safety. Specifically, no CardioMessenger, past or current models, can modify an implantable cardiac device’s diagnostic or therapeutic functionality. This is a deliberate design feature to ensure patient safety. We shared our findings with the researchers who also agreed that “BIOTRONIK provided sufficient information to confirm that patient harm arising from the vulnerabilities is very unlikely.”1 In addition, the particular model concerned, the CardioMessenger II, is an older generation of the device that has since been superseded by the CardioMessenger Smart.
It is also important to note that there have been no cyberattacks or privacy breaches related to CardioMessenger. The Cybersecurity & Infrastructure Security Agency (CISA) at the US Department of Homeland Security also confirm that “no known public exploits specifically target these vulnerabilities.”2 CardioMessenger devices are safe and, in fact, BIOTRONIK Home Monitoring has been shown to significantly reduce patient hospitalization3, stroke4 and mortality3.
We take cybersecurity extremely seriously at BIOTRONIK and we are strongly committed to providing safe and reliable cardiovascular devices that improve the lives of millions of patients. Our cybersecurity management process is carefully designed according to the recommendations of the US FDA’s guidance to identify and control risks in all relevant devices and systems. The BIOTRONIK Home Monitoring System is operated using an information security management system certified according to the international standard ISO/IEC 27001:2013. This information security management standard is the framework that guides BIOTRONIK in identifying, analyzing and addressing information risks. It also specifies the requirements for establishing, implementing and maintaining an information system and ensures security measures are constantly adapted in response to the changing cybersecurity landscape.
We will continue to monitor, test and analyze the safety of our devices and value the contributions of independent cybersecurity researchers in helping us to achieve this.
For any questions concerning BIOTRONIK devices, please contact us:
1 Coordinated Disclosure Statement: https://guillaumebour.fr/articles/security_testing_pacemaker_ecosystem/part_1_introduction_context_methodology/
2 CISA ICS Medical Advisory https://www.us-cert.gov/ics/advisories/icsma-20-170-05
3 Hindricks et al. European Heart Journal 2017, 38, 1749–1755.
4 Mabo P et al. European Heart Journal. 2012, 33.
BIOTRONIK is a leading medical device company that has been developing trusted and innovative cardiovascular and endovascular solutions for more than 50 years. Driven by a purpose to perfectly match technology with the human body, BIOTRONIK innovations deliver care that saves and improves the lives of millions diagnosed with heart and blood vessel diseases every year. BIOTRONIK is headquartered in Berlin, Germany, and represented in over 100 countries.