InterStim™ Micro & InterStim X™ Clinician - Security Bulletins

Pelvic Health InterStim™ Micro and InterStim X™ Clinician

Medtronic has identified a potential issue related to InterStim™ pelvic health therapy and how passwords are saved in the Smart Programmer’s clinician app.

March 2, 2023

Summary

Medtronic has identified a potential issue related to its InterStim™ therapy and how passwords are saved within the Smart Programmer’s clinician app.

Patients with an InterStim™ device shown below and health care providers supporting those patients should contact Medtronic support to update the Clinician Application on their Smart Programmer to fix this vulnerability.

Contact information is at the bottom of this bulletin in the “For more information” section.

Impacted products

Patients with bladder and/or bowel control issues may have an implanted Medtronic InterStim™ neurostimulator placed in the upper buttock area. The therapy this device delivers, which helps patients control bladder and/or bowel function, can be controlled by the patient and their healthcare provider through an app on a handheld mobile device, called a Smart Programmer.

The apps on the handheld mobile devices are impacted by a vulnerability explained further in the “Vulnerability Overview” section. Pictures of the impacted apps are below:

Vulnerability overview

Through routine monitoring, Medtronic identified that the Pelvic Health clinician apps, which are installed on the Smart Programmer mobile device, have a password vulnerability that requires a security update to fix. Not updating could potentially result in unauthorized control of the clinician therapy application, which has greater control over therapy parameters than the patient app. Changes still cannot be made outside of the established therapy parameters of the programmer. For unauthorized access to occur, an individual would need physical access to the Smart Programmer.

To date, no cyberattack, no unauthorized access to patient data, and no harm to patients has been observed with this issue.

The vulnerability exists under certain reset conditions. It could lead to the clinician application’s custom password being reset to a default password.

Actions recommended

An app update is available as of February 23, 2023. Contact Medtronic support.

for help updating the app or if you experience any unusual activity from the device. Please refer to the “For More Information” section for the correct Medtronic contacts.

If you are concerned about your care delivery, please consult your care provider.

For more information

Who	Where	Contact
Health Care Providers	United States, Latin America, Australia, New Zealand	Medtronic Technical Services: 1-800-707-0933, Option 6
Europe, Middle East, Africa	Medtronic Technical Services: +31455668844, Option 2 (English), or your local Medtronic representative
All other geographies	Contact your local Medtronic representative.
Patients	United States	Contact your local Medtronic representative or Patient Services: 1-800-510-6735
All non-US geographies	Contact your local Medtronic representative.

Additional details

Cybersecurity professionals may find the following technical information useful for tracking and risk rating purposes:

The vulnerability has been assigned a CVE number, CVE-2023-25931
The CVSS score for this vulnerability is 6.4.