Description:

Medtronic has released security update to address multiple vulnerabilities in the following product:

• MyCareLink Monitor, Versions 24950 and 24952
• CareLink Monitor, Version 2490C
• CareLink 2090 Programmer
• Amplia CRT-D (all models)
• Claria CRT-D (all models)
• Compia CRT-D (all models)
• Concerto CRT-D (all models)
• Concerto II CRT-D (all models)
• Consulta CRT-D (all models)
• Evera ICD (all models)
• Maximo II CRT-D and ICD (all models)
• Mirro ICD (all models)
• Nayamed ND ICD (all models)
• Primo ICD (all models)
• Protecta ICD and CRT-D (all models)
• Secura ICD (all models)
• Virtuoso ICD (all models)
• Virtuoso II ICD (all models)
• Visia AF ICD (all models)
• Viva CRT-D (all models)
• Brava CRT-D (all models)
• Mirro MRI ICD (all models)

Threats:

Remote attacker could exploit these vulnerabilities by:

• Improper Access Control
• Sensitive information disclosure

Medtronic Updates

Best practice and Recommendations:

The CERT team encourages users to review Medtronic security advisory and apply the necessary updates for the following products:

• Amplia MRI CRT-D, all models (patch available in U.S. only)
• Claria MRI CRT-D, all models (patch available in U.S. only)
• Compia MRI CRT-D, all models (patch available in U.S. only)
• Visia AF MRI ICD, all models
• Visia AF ICD, all models
• Brava CRT-D, all models
• Evera MRI ICD, all models
• Evera ICD, all models
• Mirro MRI ICD, all models
• Primo MRI ICD, all models
• Viva CRT-D, all models

In addition, Medtronic encourages users to:

• Do not connect unapproved devices to home monitors and programmers through USB ports or other physical connections.
• Only use home monitors in private environments such as a home, apartment, or otherwise physically controlled environment.
• https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity