- The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team discovered encryption vulnerabilities in Medtronic’s 9790 and 2090 CareLink Programmers and 29901 Encore Programmers that could compromise patient data if exploited.
According to officials, the programmers fail to encrypt the protected health information or personally identifiable data stored on the device. As a result, a hacker with physical access could exploit the flaw and compromise the data on an impacted programmer.
“The affected products do not encrypt or do not sufficiently encrypt the following sensitive information while at rest,” officials wrote.
Medtronic’s Carelink 9790 programmer was placed in the end-of-life status and will no longer be supported by the medial device vendor.
The two other programmers involved in the alert store patient data as part of normal operation. To mitigate the flaw, Medtronic officials recommended data should only be retained “for the least amount of time necessary.”
“[The data] should be handled, managed and secured in a manner consistent with the applicable laws for patient data privacy,” officials wrote. “All affected programmers allow for the manual deletion of programmer-generated reports, which could contain PHI/PII.”
“Medtronic recommends users delete these reports when no longer needed and prior to any disposition of the programmer,” they added.
Further, hospitals and providers should maintain strict physical control of the programmers and only use devices legitimately obtained and not programmers provided by third parties, officials said. It’s critical organizations properly dispose of programmers and the stored electronic data a to ensure the protection of data.
Organizations with these programmers in use should contact the vendor for “proper disposal and PHI/PII retention setting instructions,” officials said.
“NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures,” NCCIC officials wrote. “Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.”
NCCIC was alerted to the flaw by researchers Billy Rios and Jonathan Butts of security firm Whitescope.
In August, Rios and Butts criticized Medtronic for its lax response to medical device security. Allegedly, Medtronic was unresponsive and uncooperative, when the researchers informed the vendor of flaws they discovered in some devices.
This is just the latest alert on Medtronic programmers. The Food and Drug Administration issued a cybersecurity alert on two devices in October that could allow a hacker to hijack the software update process and change the function of the device. Medtronic disabled the online update to mitigate the flaw.