ILLUMISITE™ platform security vulnerabilities Security Bulletin

Originally published: September 29, 2022
Updated on: February 27, 2024

Impacted Products:

Illumisite product images

ILLUMISITE™ platform family of applications including:

  • Procedure software versions: 1.0, 1.1
  • Planning software versions: 1.0, 1.1


Overview:

The ILLUMISITE™ platform is used to perform electromagnetic navigation bronchoscopy procedures.  During a procedure, a physician uses the platform to navigate endoscopic tools to targets in the lungs such as lymph nodes and solitary pulmonary nodules.  The system is used in two phases and has two corresponding software applications – planning and procedure.

Medtronic has recently identified that the ILLUMISITE™ platform has security vulnerabilities, primarily related to the Microsoft Windows 10 operating system, which could allow an unauthorized user to execute code on the system.

To date, no cyber attack, no unauthorized access to patient data, and no harm to patients has been observed with these vulnerabilities.

A software update has been available since February 13, 2024. This update is designed to enhance the security of the system to address these types of vulnerabilities, allowing the device to be network connected. Roll out of this update will be delivered by the Medtronic service team during service visits.

Medtronic recommends that healthcare providers continue to use these devices as intended. However, if the ILLUMISITE™ platform is currently configured to connect to a hospital network, Medtronic recommends disconnecting the ILLUMISITE™ platform from the hospital network until the software update is applied.

In all cases, Medtronic recommends special care be taken to control the physical security of the device.

If you experience any unusual activity from the device please contact Medtronic Lung Health Technical Service Hotline: 1-877-501-8737.

If you are concerned about your care delivery associated with the ILLUMISITE™ platform, please consult your care provider.

Additional Details:

If disconnecting a currently networked system, Medtronic recommends loading CT scans directly on the console.  If a superDimension™ planning station is used, Medtronic recommends that it also be disconnected from the hospital network and use of a dedicated USB for transfer of plans between the planning station and navigation system.  Physically securing the system when not in use and using in a disconnected/isolated manner can help prevent exploitation of most known vulnerabilities.

While not recommended until the software update is applied, some hospitals may still prefer network connectivity with a PACS.  In this case, Medtronic suggests networking the ILLUMISITE™ platform only on a protected sub-net. That sub-net should be secured through a managed firewall to segregate the PACS connected devices from the public internet and networks hosting non-protected devices. Medtronic encourages protecting the ILLUMISITE™ platform and all other devices on the sub-net to be secured from physical tampering.

Medtronic does NOT recommend applying Windows updates to resolve this issue as the ILLUMISITE™ platform has not been validated for use with additional Windows updates.

We will continue to monitor our products for additional vulnerabilities. If any further communications are necessary, we will provide them through our established Coordinated Disclosure process.

Additionally, we will use this security matter to enhance our internal security reviews, including penetration testing and threat modeling capabilities.
 

For more information:

For further information including a full list of vulnerabilities, please contact the Medtronic Lung Health Technical Service Hotline: 1-877-501-8737
rs.ilstechservice@medtronic.com