Medtronic MyCareLink Smart™ Security Vulnerability Patch SECURITY BULLETIN

December 10, 2020

Purpose

This Medtronic Security Bulletin provides product-specific information about cybersecurity vulnerabilities impacting the MyCareLink (MCL) Smart Model 25000 Patient Reader. This Medtronic Security Bulletin contains a General/High Level Summary. Further technical information can be found in Medtronic's CISA disclosure.

The information in this bulletin applies to patients with a Medtronic pacemaker or cardiac resynchronization therapy pacemaker (CRT-P) who have chosen to use this system to send heart device information to their doctor between clinic visits.

To date, no cyberattack, no unauthorized access to patient data, and no harm to patients has been observed with these vulnerabilities.

Affected Products

A closeup image of the MyCareLink Smart 25000 Patient Reader

Medtronic MyCareLink Smart 25000 Patient Reader

Product details: The MCL Smart Patient Reader is used to obtain information about a patient’s implanted cardiac device and transmit it through the patient’s mobile device to the Medtronic CareLink network so the patient’s clinician can manage care.

Summary

Cybersecurity firm Sternum LTD identified cybersecurity vulnerabilities impacting Medtronic’s MyCareLink (MCL) Smart Model 25000 Patient Reader. Additional researchers from the University of California Santa Barbara, University of Florida and University of Michigan independently discovered one of the same vulnerabilities.

The vulnerabilities could allow an unauthorized user to control a Patient Reader. 

To date, no cyberattack, no unauthorized access to patient data, and no harm to patients has been observed with these vulnerabilities.

Medtronic Response

Medtronic developed and released system updates that address these vulnerabilities.

  • Medtronic has implemented Sternum’s enhanced integrity validation (EIV) technology which provides early detection and real-time mitigation of known common vulnerabilities and exposures (CVE).
  • Medtronic has also implemented Sternum’s advanced detection system technology which enables de-identified device-level logging and monitoring of all device activity and anomalous behavior. Proactive monitoring of your patient reader helps Medtronic proactively detect any possible cybersecurity issues.

Patient Action

Patients should ensure they have updated their MyCareLink Smart application to version 5.2.0 (or higher) prior to the next scheduled use. This completely mitigates the risk identified in the Computer Infrastructure Security Agency (CISA) disclosure. Patients can obtain the latest version of MyCareLink Smart from a mobile phone application store (Apple App Store, Google Play Store).

How to Check Current Application Version

  • Open MyCareLink Smart Application
  • Select the About link at top right
  • Review App Version number (below)
The MyCareLink Smart application home screen
A screen shot of the app version for MyCareLink Smart

Set your MyCareLink Smart Application to Auto Update

Android:

  1. Open the Google Play Store app
  2. Tap Menu > Settings
  3. Tap Auto-update apps
  4. Select an option:
    • Over any network to update apps using either Wi-Fi or mobile data
    • Over Wi-Fi only to update apps only when connected to Wi-Fi

Apple:

  1. Open the ”Settings” app on the device
  2. Go to “iTunes & App Store”
  3. Toggle “Updates” to ON position

Additionally, Medtronic recommends that users take precautionary measures to minimize the risk of exploitation of cybersecurity vulnerabilities.

  • Maintain good physical control over home monitors and programmers.
    • Only use home monitors in private environments such as a home, apartment, or otherwise physically controlled environment.
  • Use only home monitors, programmers, and implantable devices obtained directly from your healthcare provider or a Medtronic representative to ensure integrity of the system.
  • Ensure that the operating system of mobile phone is updated to the latest version of the available Android and/or Apple iOS operating system.

Additional Resources

Patients or clinicians with questions or concerns about these devices should contact:

US: The Medtronic Product Security website at http://www.medtronic.com/security is an available resource. A team of professionals is available to answer patient questions Monday-Friday 7am – 6pm Central Time.  Patients can contact Medtronic patient services at 1-866-470-7709.

For international queries: Please contact your local Medtronic representative.