Security bulletins
MyCareLink Smart™ security vulnerability patch
View product-specific information about cybersecurity vulnerabilities impacting the MyCareLink (MCL) Smart™ Model 25000.
December 10, 2020
Purpose
This Medtronic Security Bulletin provides product-specific information about cybersecurity vulnerabilities impacting the MyCareLink (MCL) Smart™ Model 25000 Patient Reader. This Medtronic Security Bulletin contains a general/high level summary. Further technical information can be found in the Medtronic CISA disclosure.
The information in this bulletin applies to patients with a Medtronic pacemaker or cardiac resynchronization therapy pacemaker (CRT-P) who have chosen to use this system to send heart device information to their doctor between clinic visits.
To date, no cyberattack, no unauthorized access to patient data, and no harm to patients has been observed with these vulnerabilities.
Affected products
Medtronic MyCareLink Smart™ 25000 Patient Reader
Product details: The MCL Smart™ patient reader is used to obtain information about a patient’s implanted cardiac device and transmit it through the patient’s mobile device to the Medtronic CareLink™ network so the patient’s clinician can manage care.
Summary
Cybersecurity firm Sternum LTD identified cybersecurity vulnerabilities impacting the Medtronic MyCareLink (MCL) Smart™ Model 25000 patient reader. Additional researchers from the University of California Santa Barbara, University of Florida and University of Michigan independently discovered one of the same vulnerabilities.
The vulnerabilities could allow an unauthorized user to control a patient reader.
To date, no cyberattack, no unauthorized access to patient data, and no harm to patients has been observed with these vulnerabilities.
Medtronic response
Medtronic developed and released system updates that address these vulnerabilities.
- Medtronic has implemented Sternum’s enhanced integrity validation (EIV) technology which provides early detection and real-time mitigation of known common vulnerabilities and exposures (CVE).
- Medtronic has also implemented Sternum’s advanced detection system technology which enables de-identified device-level logging and monitoring of all device activity and anomalous behavior. Proactive monitoring of your patient reader helps Medtronic proactively detect any possible cybersecurity issues.
Patient action
Patients should ensure they have updated their MyCareLink Smart™ application to version 5.2.0 (or higher) prior to the next scheduled use. This completely mitigates the risk identified in the Computer Infrastructure Security Agency (CISA) disclosure. Patients can obtain the latest version of MyCareLink Smart™ from a mobile phone application store (Apple App Store, Google Play Store).
How to check current application version
- Open MyCareLink Smart™ application
- Select the About link at top right
- Review App Version number (below)
Set your MyCareLink Smart™ application to auto update
Android:
- Open the Google Play Store app
- Tap Menu > Settings
- Tap Auto-update apps
- Select an option:
- Over any network to update apps using either Wi-Fi or mobile data
- Over Wi-Fi only to update apps only when connected to Wi-Fi
Apple:
- Open the ”Settings” app on the device
- Go to “iTunes & App Store”
- Toggle “Updates” to ON position
Additionally, Medtronic recommends that users take precautionary measures to minimize the risk of exploitation of cybersecurity vulnerabilities.
- Maintain good physical control over home monitors and programmers.
- Only use home monitors in private environments such as a home, apartment, or otherwise physically controlled environment.
- Use only home monitors, programmers, and implantable devices obtained directly from your healthcare provider or a Medtronic representative to ensure integrity of the system.
- Ensure that the operating system of mobile phone is updated to the latest version of the available Android and/or Apple iOS operating system.
Additional resources
Patients or clinicians with questions or concerns about these devices should contact:
U.S.: The Medtronic product security website is an available resource. A team of professionals is available to answer patient questions Monday through Friday 7 a.m.–6 p.m. Central Time. Patients can contact Medtronic patient services at 866-470-7709.
For international queries: Please contact your local Medtronic representative.