CVE-2018-18984

Medtronic 9790, 2090 CareLink, and 29901 Encore Programmers Missing Encryption of Sensitive Data

Description

Medtronic CareLink and Encore Programmers do not encrypt or do not sufficiently encrypt sensitive PII and PHI information while at rest .

Remediation

Workaround:

  • The CareLink 9790 Programmer has been placed into end-of-life status and is no longer supported by Medtronic. Medtronic recommends users no longer use the 9790 for any purpose. The CareLink 2090 and 29901 Encore programmers store PHI and PII as part of their normal operating procedure. Medtronic recommends that when devices are storing PHI/PII it should be retained on these programmers for the least amount of time necessary, and should be handled, managed and secured in a manner consistent with the applicable laws for patient data privacy. Please contact a Medtronic representative for proper disposal and PHI/PII retention setting instructions. All affected programmers allow for the manual deletion of programmer-generated reports, which could contain PHI/PII. Medtronic recommends users delete these reports when no longer needed and prior to any disposition of the programmer. Medtronic recommends users take additional defensive measures to minimize the risk of exploitation. Specifically, hospitals and clinicians should: * Maintain strict physical control of the programmer. * Use only legitimately obtained programmers and not ones provided by any third party. Proper disposal of these programmers and the associated electronic media storing data is critical for the continued protection of any PHI and PII residing on the programmer. Medtronic has released a security bulletin related to this advisory that is available, with contact information, at the following location: https://www.medtronic.com/security

Categories

4.6
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.06%
Third-Party Advisory securityfocus.com Third-Party Advisory us-cert.gov
Affected: Medtronic CareLink 9790 Programmer
Affected: Medtronic CareLink 2090 Programmer
Affected: Medtronic 29901 Encore Programmer
Published at:
Updated at:

References

Link Tags
https://global.medtronic.com/xg-en/product-security/security-bulletins/carelink-9790-2090-29901.html
https://ics-cert.us-cert.gov/advisories/ICSMA-18-347-01 third party advisory us government resource
http://www.securityfocus.com/bid/106215 vdb entry third party advisory

Frequently Asked Questions

What is the severity of CVE-2018-18984?
CVE-2018-18984 has been scored as a medium severity vulnerability.
How to fix CVE-2018-18984?
As a workaround for remediating CVE-2018-18984: The CareLink 9790 Programmer has been placed into end-of-life status and is no longer supported by Medtronic. Medtronic recommends users no longer use the 9790 for any purpose. The CareLink 2090 and 29901 Encore programmers store PHI and PII as part of their normal operating procedure. Medtronic recommends that when devices are storing PHI/PII it should be retained on these programmers for the least amount of time necessary, and should be handled, managed and secured in a manner consistent with the applicable laws for patient data privacy. Please contact a Medtronic representative for proper disposal and PHI/PII retention setting instructions. All affected programmers allow for the manual deletion of programmer-generated reports, which could contain PHI/PII. Medtronic recommends users delete these reports when no longer needed and prior to any disposition of the programmer. Medtronic recommends users take additional defensive measures to minimize the risk of exploitation. Specifically, hospitals and clinicians should: * Maintain strict physical control of the programmer. * Use only legitimately obtained programmers and not ones provided by any third party. Proper disposal of these programmers and the associated electronic media storing data is critical for the continued protection of any PHI and PII residing on the programmer. Medtronic has released a security bulletin related to this advisory that is available, with contact information, at the following location: https://www.medtronic.com/security
Is CVE-2018-18984 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2018-18984 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2018-18984?
CVE-2018-18984 affects Medtronic CareLink 9790 Programmer, Medtronic CareLink 2090 Programmer, Medtronic 29901 Encore Programmer.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.