Medtronic 9790, 2090 CareLink, and 29901 Encore Programmers

Monitor4.6ICS-CERT ICSMA-18-347-01Dec 13, 2018

Attack VectorPhysical

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The CareLink 9790, 2090, and 29901 Encore Programmers store patient protected health information (PHI) and personally identifiable information (PII) as part of normal operation. An attacker with physical access to an affected programmer can access this stored data directly. The 9790 has reached end-of-life and is no longer supported. The 2090 and 29901 have no announced patches. Stored data includes patient records generated during device programming and monitoring sessions.

What this means

What could happen

An attacker with physical access to a CareLink or Encore programmer could read patient health information and personal data stored on the device, compromising patient privacy without your knowledge.

Who's at risk

Healthcare facilities using Medtronic CareLink 9790, 2090, or 29901 Encore programmers should be concerned. These are cardiac and pacemaker programming devices that store patient health records and personal data as part of normal operation. Any clinic or hospital using these devices for patient monitoring and device programming is affected.

How it could be exploited

An attacker with physical possession of the programmer device can directly access stored patient health information (PHI) and personally identifiable information (PII) that the device has recorded during normal operation. No network access or credentials are required.

Prerequisites

Physical access to the programmer device
Device must be powered on or have residual power to access stored data

No patch availableNo authentication required for physical access exploitationLow complexity attackAffects devices handling patient safety data

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (3)

2 pending1 EOL

ProductAffected VersionsFix Status

29901 Encore Programmer: all versionsAll versionsNo fix yet

CareLink 2090 Programmer: all versionsAll versionsNo fix yet

CareLink 9790 Programmer: all versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGImmediately retire the CareLink 9790 Programmer and discontinue its use for any purpose

WORKAROUNDManually delete all programmer-generated reports containing PHI/PII from CareLink 2090 and 29901 Encore programmers before device disposal or reassignment

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

WORKAROUNDConfigure CareLink 2090 and 29901 Encore programmers to retain PHI/PII on the device for the minimum necessary time

HARDENINGEstablish a secure disposal process for all affected programmers, ensuring proper handling and destruction of electronic media per HIPAA and applicable privacy laws

Mitigations - no patch available

0/1

CareLink 9790 Programmer: all versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement physical security controls to restrict unauthorized access to programmer devices during storage, use, and disposal

CVEs (1)

CVE-2018-18984

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b1cbfe07-948f-4e18-ad53-c89c84a25304