Pelvic Health InterStim™ Micro and InterStim X™ Clinician Application Security Update

March 2, 2023

Summary

Medtronic has identified a potential issue related to its InterStim™ therapy and how passwords are saved within the Smart Programmer’s clinician app.

Patients with an InterStim™ device shown below and health care providers supporting those patients should contact Medtronic support to update the clinician application on their Smart Programmer to fix this vulnerability.

Contact information is at the bottom of this bulletin in the “For More Information” section.

Impacted products

Interstim Collage

Patients with bladder and/or bowel control issues may have an implanted Medtronic InterStim™ neurostimulator placed in the upper buttock area. The therapy this device delivers, which helps patients control bladder and/or bowel function, can be controlled by the patient and their healthcare provider through an app on a handheld mobile device, called a Smart Programmer.

The apps on the handheld mobile devices are impacted by a vulnerability explained further in the “Vulnerability Overview” section. Pictures of the impacted apps are below:

Interstim and Micro Icons

Vulnerability Overview

Through routine monitoring, Medtronic identified that the Pelvic Health clinician apps, which are installed on the Smart Programmer mobile device, have a password vulnerability that requires a security update to fix. Not updating could potentially result in unauthorized control of the clinician therapy application, which has greater control over therapy parameters than the patient app.  Changes still cannot be made outside of the established therapy parameters of the programmer.  For unauthorized access to occur, an individual would need physical access to the Smart Programmer. 

 

To date, no cyberattack, no unauthorized access to patient data, and no harm to patients has been observed with this issue.

The vulnerability exists under certain reset conditions. It could lead to the clinician application’s custom password being reset to a default password. 

Actions Recommended

An app update is available as of February 23, 2023. Contact Medtronic support

for help updating the app or if you experience any unusual activity from the device. Please refer to the “For More Information” section for the correct Medtronic contacts.

If you are concerned about your care delivery, please consult your care provider.

For more information:

 Who

Where

Contact

Health Care Providers

United States, Latin America, Australia, New Zealand

Medtronic Technical Services: 1-800-707-0933 , Option 6

Europe, Middle East, Africa 

Medtronic Technical Services: +31455668844, Option 2 (English), or your local Medtronic representative 

All other geographies 

Contact your local Medtronic representative 

Patients 

United States 

Contact your local Medtronic representative or Patient Services: 1-800-510-6735  

All non-US geographies 

Contact your local Medtronic representative 

Additional Details:

Cybersecurity professionals may find the following technical information useful for tracking and risk rating purposes:

  • The vulnerability has been assigned a CVE number, CVE-2023-25931
  • The CVSS score for this vulnerability is 6.4.