November 19, 2020

Purpose

This Medtronic Security Bulletin provides product specific information concerning the TiYunZong security vulnerability on the CT900 Samsung Android tablets and how to mitigate the vulnerability. Medtronic uses these tablets to run several Medtronic Neuromodulation clinician programmer applications.

To date, no cyberattack, patient harm, or data compromise has been observed with these vulnerabilities.

Impact summary

To date, no cyberattack, patient harm, or data compromise has been observed with these vulnerabilities.

Given that the clinicial programmer applications run on the Samsung tablet, Medtronic applications may be indirectly impacted.

General summary

Security researchers discovered potential vulnerabilities in Samsung tablets (assigned the Medtronic Model CT900) that function as the hardware platform for clinician programmers that interact with Medtronic neurostimulators and implantable drug infusion pumps. These programmers are used by clinicians to configure therapy device settings in a hospital or clinic. In this case, the therapies impacted treat patients with chronic pain, severe spasticity, Parkinson’s disease, essential tremor, dystonia, epilepsy and obsessive-compulsive disorder.

For the vulnerability to be exploited, a CT900 tablet user (i.e. a clinician at a hospital or clinic) must visit a malicious website using the Chrome browser application on the tablet. Once that has happened, an unauthorized individual could exploit this vulnerability to gain remote access to the tablet. This could enable an unauthorized individual to access therapy or patient information or to alter device settings remotely over the internet.

Medtronic response

Updating the Chrome browser application to version 77 or greater completely mitigates these vulnerabilities. To update:

  • Go to the Google Play Store application
  • Search for the “Google Chrome browser” application
  • Select update to automatically update to a patched version of the Chrome application

Medtronic field representatives will check devices and assist clinicians to ensure the Chrome browser application is updated in the weeks following issuance of this bulletin.

Additionally, Medtronic recommends that users take additional defensive measures to minimize risk. Specifically, users should:

  • Maintain responsible physical control over programmers.
  • Use only programmers and implantable devices obtained directly from a healthcare provider or a Medtronic representative to ensure integrity of the system.
  • Not connect unapproved/unfamiliar devices to programmers through any physical connections (e.g., USB cables).
  • Only use clinician programmers to connect and interact with implanted devices in physically controlled hospital or other clinical environments.
  • Not use clinician programmers for personal use or ad hoc personal web browsing.
  • Report any concerning behavior regarding these products to a Medtronic representative.

List of affected products

The CT900 Samsung Android tablets are used for running the following Medtronic applications:

Product name Use
A610 – DBS clinician programmer application Used by clinicians for programming of Medtronic neurostimulators (external and implantable) for deep brain stimulation (DBS)
A710 – Intelis™ clinician programmer application Used by clinicians for programming of Medtronic neurostimulators (external and implantable) for pain therapy
A71100 – Restore clinician application Used by clinicians for programming of Medtronic neurostimulators for pain therapy
A810 – SynchroMed™ II clinician programmer application Intended for use by clinicians in the programming of the Model 8637 SynchroMed™ II programmable pump for intrathecal applications

 

Patients or clinicians with questions or concerns about these devices should contact:

Technical Services: 800-707-0933
Or contact your Medtronic representative.

Opt in to receive bulletins.

Sign up