HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Vulnerabilities Identified in Medtronic MyCareLink Patient Monitors

ICS-CERT has issued an advisory about two recently discovered vulnerabilities in Medtronic MyCareLink patient monitors.

The devices are used by patients with implantable cardiac devices to transmit their heart rhythm data directly to their clinicians. While the devices have safeguards in place and transmit information over a secure Internet connection, the vulnerabilities could potentially be exploited by a malicious actor to gain privileged access to the operating system of the devices.

The vulnerabilities – a hard-coded password vulnerability (CWE-259 / CVE-2018-8870) and an exposed dangerous method of function (CWE-749 / CVE-2018-8868) vulnerability – exist in all versions of 24950 and 24952 MyCareLink Monitors.

The former has been assigned a CVSS v3 score of 6.4 and the latter a CVSS v3 score of 6.2. The vulnerabilities were discovered by security researcher Peter Morgan of Clever Security, who reported the issues to NCCCIC.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Exploitation of the hard-coded password vulnerability would require physical access to the device. After removing the case, an individual could connect to the debug port and use the hard-coded password to gain access to the operating system.

Debug code in the device is used to test functionality of the communications interfaces, including the interface between the monitor and the implanted cardiac device. After using the hardcoded password, an attacker could gain access to the debug function and read and write arbitrary memory values, provided that individual in close proximity to the patient with the implanted cardiac device.

While exploitation of the vulnerabilities is possible, Medtronic has determined that the risks are ‘controlled’ i.e. A sufficiently low and acceptable risk of patient harm. An attacker would need physical access to the monitor and have to be in close proximity to the patient at the same time. It is not possible to exploit the vulnerabilities remotely.

Medtronic is implementing mitigations and will be issuing automatic software updates to prevent exploitation of the vulnerabilities. The updates are being rolled out as part of its standard update process. Medtronic notes there have been no reported cases of the vulnerabilities being exploited.

Patients can reduce the risk of exploitation of these vulnerabilities by maintaining sound physical controls to prevent unauthorized access to their patient monitor. Medtronic has pointed out the use of secondhand MyCareLink patient monitors or those obtained from unofficial sources carry a much higher risk of exploitation of the above vulnerabilities. Patients should only use MyCareLink patient monitors that have been obtained directly from Medtronic or their clinicians. Any concerning behavior of patients’ home monitors should be reported to their healthcare providers or Medtronic.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.