DBS

SECURITY
REFERENCE GUIDE
System Level Diagrams: Deep Brain Stimulation

NDHF1550-189563 Ver 5.0 1 of 8

DBS
SECURITY
REFERENCE GUIDE

NDHF1550-189563 Ver 5.0 2 of 8

DBS
SECURITY
REFERENCE GUIDE
FREQUENTLY ASKED QUESTIONS

1. How do I ensure my system components are secure in the environments in which they operate? Are
appropriate cybersecurity controls in place to enable secure operations?

Common Platform:
Profile restrictions: The Clinician Tablet (CT900) & Handset (HH90) that operate with an Android environment utilize
RTG MDM for management of restriction profiles and the deployment of Medtronic Therapy Applications.

Access Control: The Clinician Tablet (CT900) enforces password login with minimum length & character
requirements in tandem with native Android AES-256 encryption that is used to encrypt the entire contents of the
Android device’s disk. The Handset (HH90) has optional password configuration.

Policy enforcement: To augment the security of these devices, a stringent set of restriction policies has been set in
place; as such, on the Handset (HH90) there is no access to the Google Play store for the downloading of third-party
applications. Although the Clinician Tablet (CT900) allows access to the Google Play store and downloading of third-
party applications, it prevents their installation. The applications that are allowed to run are restricted by a
combination of whitelist & blacklist profiles. Enforcing these profiles automatically permits execution of whitelisted
applications (applications that are allowed to run on the Android devices (Handset (HH90) /Clinician Tablet (CT900))
and blocks execution of blacklisted applications. The blacklist profile also disables any native Android applications
that are pre-installed as part of the Android default apps on the device.
Root detection is implemented at the Android Operating System layer and device rooting will be prevented
automatically. In the unlikely event of a successful root, MDM (Mobile Device Management solution) will un-enroll the
device from MDM and will perform a device wipe to remove all data and applications on the device. Refer to Question
3 and contact information at the end of this document for recovery options.

All Medtronic Therapy Applications operate on a secure environment/secure Operating System layer protected by
anti-tampering and anti-reverse engineering capabilities that include: Code Obfuscation, Resource encryption,
Integrity checking, Debugger detection, Root Detection, Digital Signature Checks, Data Integrity checks, and
Encrypted Logs.

DBS Therapy:
Telemetry Environment: Instructions for users for mitigating telemetry issues in environments with high
Electromagnetic Interference (EMI), such as close proximity to Radio Frequency Identification (RFID) equipment, are
provided in the DBS Therapy-Specific Patient Booklets and Model 8880T2 Communicator Technical Manual.
In noisy telemetry environments, the 8880T2 Communicator provides a wired USB connection option to connect to
the Clinician Tablet (CT900).

Secure Connection: Instructions for securely pairing the Model TM91 Communicator to the Handset (HH90) and
linking to the Neurostimulator are provided in the Patient User Guide. User scans the code on the TM91
Communicator label, the DBS Therapy Application then calculates the correct Bluetooth MAC address based on the
serial number from the scanned code and uses it to initiate Bluetooth Low Energy communications with the Handset
(HH90).

NDHF1550-189563 Ver 5.0 3 of 8

 Instructions for securely pairing the Model TM90 Communicator to the Handset (HH90) are provided in the
Communicator (TM90) Instructions for Use.

Instruction for configuring secure communication with the SureTune™ 4 Software / Digital Health Platform1 via the
SureTune Connector (A904) app are available in the SureTune™ 4 Software IT Reference Guide. The clinician tablet
requires a secure sockets layer/transport layer security (SSL/TLS) certificate to support a secure wireless fidelity
(WiFi) connection between the hospital servers and the SureTune™ 4 Software. It is recommended to use the
hospital’s security certificate software to install, manage, and configure security certificates for all endpoints.

Physical Security: The Implantable Neurostimulators (INS) are physically implanted and are processed via sterile
handoff to enter the sterile field. The INS can only be programmed with an external Clinician Tablet (CT900) or a
Handset (HH90).

2. What features are in place that protect the system components even when the system’s cybersecurity
has been compromised? What secure configurations are in place to harden the system components
that minimize the attack surface?

Common Platform:
Policy enforcement: MDM has compliance policies for ensuring the security of the platform (Clinician Tablet
(CT900)/Handset (HH90)). In the event a cybersecurity compromise is detected on the device, MDM will take
appropriate action (enterprise wipe - un-enrolls the device from MDM and performs a device wipe to remove all data
or a factory reset). For example, the Clinician Tablet (CT900) will factory reset after 10 failed password attempts. The
platform provides users capability to periodically sync their devices (Handset (HH90)/Clinician Tablet (CT900)) to
MDM to check for updates (Operating System updates or Software/Firmware updates of the Medtronic system
components).

Wi-Fi on the Clinician Tablet (CT900) and Handset (HH90) allows for Enterprise WPA-2 and has dual band network
capability (2.4/5GHz). Instructions to connect to secure Wi-Fi networks can be found here
https://www.medtronic.com/content/dam/fieldportal/neuro/public/FIELDPORTAL1524861680267.pdf
https://www.medtronic.com/content/dam/fieldportal/neuro/public/FIELDPORTAL1537462259194.pdf

DBS Therapy:
All the system components are designed to recover from system faults and operation failures with minimum user
intervention in order to maintain reliable service. Also, system components verify that they are communicating only
with other Medtronic components.
For example, The INSs are designed to automatically recover from firmware resets. Although, the Model 8880T2
Communicator, Model TM91 Communicator, and Model TM90 Communicator function as a bridge and do not initiate
any communication independent of the Therapy Applications, they have built-in capabilities to recover from
corrupted firmware updates. Additionally, these components do not require network connectivity for functionality,
which considerably reduces the attack surface.

Anti-tampering and anti-reverse engineering capabilities protect critical functionality of all Medtronic Applications at
the Operating System layer in the event that the cybersecurity of the ecosystem is compromised (see Question 1 for
more information). All the other system components benefit from leveraging these capabilities to be resilient to
cybersecurity compromises.

3. What backup capabilities, restore features, and procedures are in place to help users regain
configurations?

1 For geographical regions where the Digital Health Platform is commercially available.

NDHF1550-189563 Ver 5.0 4 of 8

 Common Platform:
Any wiped/reset Android device (Handset (HH90)/ Clinician Tablet (CT900)) is required to go through a Medtronic
representative intermediary for device replacement or re-enrollment.

DBS Therapy:
System Troubleshoot: Troubleshooting instructions for users are provided in the respective Clinician Programming
Guide A610 DBS CP App and Patient User Guide for A620 DBS PP App. Contact Medtronic Technical Support prior to
resorting to reset capability (contact information provided at the end of this document).
When a replacement Communicator (Model 8880T2/Model TM90/Model TM91) is received, initial configuration steps
to connect to the Clinician Tablet (CT900)/Handset (HH90) are provided in the Clinician Programming Guide A610
DBS CP App and Patient User Guide for A620 DBS PP App.

System Backup: Therapy settings may be restored by clinician’s information generated in the session reports. INS
devices may restore historical clinician settings, up to 5 clinician sessions via the session history feature.

4. What supporting infrastructure needs to be in place for system components to operate as intended?

Common Platform:
The devices themselves will operate as intended without an external network connection. The core components
being the Handset (HH90)/Clinician Tablet (CT900) and the Communicator (Model 8880T2/Model TM90/Model
TM91).

For post-setup application deployment and profile management, an external network connection is required in order
to communicate with MDM servers.

DBS Therapy:
Facilitate System Updates: The Communication Manager App (A901) maintains firmware version compatibility for the
Model 8880T2 Communicator and pushes updates as required. The firmware on the Model 8880T2 Communicator is
updated via USB cable communication with the Clinician Tablet (CT900). The Model 8880T2 Communicator recovers
from failed updates with some potential delays in operation when the user initiates a recovery update from the
Communication Manager App (A901).

The TM91 Communicator is Bluetooth discoverable and will pair to the Handset (HH90) once the user scans the code
on the Communicator device label via the DBS PP App (A620) or manually enters the device serial number (refer to
the Patient User Guide for instructions). User interaction is needed to activate the downloaded software. The TM91
has capabilities to recover from invalid updates to maintain reliable service.

The TM90 Communicator is Bluetooth discoverable and will pair to the Handset (HH90) via Bluetooth PKI (Public Key
Infrastructure) authentication. Firmware updates are performed within a secure telemetry session where the
Handset (HH90) will download the update into the TM90 Communicator. Digital signatures are used to ensure the
authenticity and data integrity of the update binary files. If the firmware update fails or is invalid, the normal
operations of the TM90 Communicator are restored with the previous version of the firmware.

The DBS CP App (A610) maintains the INS firmware version compatibility and leverages authentication capabilities
provided by the DBS CP App (A610). INS (PerceptTM PC B35200) maintains redundant memory for the firmware and
will prevent invalid update from running while maintaining operation of the active firmware.

The DBS CP App (A610 v3.0 or higher) provides the option of importing anatomical shape data from SureTune™ 4
Software, via SureTune Connector (A904) using a secure SSL/TLS connection. The A904 maintains information on
data format compatibility with the SureTune™ 4 Software.

NDHF1550-189563 Ver 5.0 5 of 8

 5. Are there any unused network ports open for communication? List out all the active interfaces
(communication channels) that support sending/receiving data and provide information around Data
Confidentiality and Data Integrity in-transit.

Common Platform:
Communication ports:
The Android Platform on both the Clinician Tablet (CT900) and the Handset (HH90) provides ability to secure
Bluetooth, Wi-Fi and USB connections based on security options within each of the protocols.
https://source.android.com/security

DBS Therapy:
Communication Ports:
All Bluetooth transmitted signals are based on a 2.4GHz transmission frequency.
• Communication between the Model TM91 Communicator and the Handset (HH90) is via a Bluetooth port and
uses Bluetooth Low Energy (BTLE) in class 2 mode over distances of at least 1 meter. Secure communication
over BTLE for TM91 Communicator is accomplished via asymmetric public key cryptography to authenticate its
identity to the Handset (HH90) when establishing connection, then switch to symmetric keys using a
cryptographic algorithm, encrypt and decrypt messages using AES 128 (Advanced Encryption Standard), and
append a MAC (Message Authentication Code) to every message.
• Communication between the Model TM90 Communicator and Handset (HH90) is via a Bluetooth port and uses
Bluetooth Low Energy Mode 1 / Level 1. Secure communications over Bluetooth Low Energy are accomplished
via asymmetric public key cryptography to authenticate its identity to the Handset (HH90), then switch to
symmetric keys created using a cryptographic algorithm, to encrypt and decrypt messages using AES 128
(Advanced Encryption Standard) and append a MAC (Message Authentication Code) to every message.
• Communication between the Model 8880T2 Communicator and the Clinician Tablet (CT900) uses Bluetooth
Classic in Class 2 mode over distances of at least 2 meters. Secure communications over Bluetooth Classic are
accomplished by exchange of PIN keys via USB and then use of Bluetooth encryption protocols based on the
exchanged keys.

All Tel-M transmitted signals are based on a 402Mhz transmission frequency. Tel-M bonding keys are encrypted
with AES128.

All Tel-N transmitted signals are based on a 175Khz transmission frequency. Tel-N push keys are encrypted for
INS (PerceptTM PC Model B35200) communications.

External communications managed by the SureTune Connector App (A904) require a secure sockets
layer/transport layer security (SSL/TLS).

6. How do I know whether I’m downloading the right version of the software/firmware update on my
system released as part of a cybersecurity vulnerability or incident?

Common Platform:
Android Operating System updates on both Clinician Tablet (CT900) and Handsets (HH90) are controlled and pushed
out by MDM on demand by modifying the restriction profiles for each device.

Any Software updates on the Therapy Applications (DBS CP App (A610) and DBS PP App (A620)), the Communication
Manager App (A901), the Patient Data Service App (A902), and the SureTune Connector App (A904) are treated as a
new software release and follow the conventional Medtronic’s Product Release process. The deployment plan for
each product contains the information on the device registration process and the MDM configuration applied prior to
shipment.

NDHF1550-189563 Ver 5.0 6 of 8

 DBS Therapy:
The Therapy Applications (DBS CP App (A610) and DBS PP App (A620)) verify the firmware version of the INS with
which it is communicating. If the application detects an incompatible firmware version during interrogation, the
application will notify the user about the incompatibility of the device. The INS firmware updates are managed by the
DBS CP App (A610) and are deployed as necessary.

Firmware updates on the Model 8880T2 Communicator, Model TM90 Communicator and Model TM91
Communicator are enabled and delivered by the Communications Manager (A901) Application. If an incompatible
firmware version is in use during a connection, the connection to the Communicator is halted and the user is informed
to perform the update.

7. If a security event has occurred, how do the system components announce/notify the condition or
event? Where and how is forensic evidence captured for troubleshooting cybersecurity incidents?

Common Platform:
Although MDM provides capabilities to deliver notifications or alerts on the devices via restriction profiles, currently,
security notifications are not provided to the users on the Clinician Tablet (CT900) or the Handset (HH90). However,
in the event a security compromise is detected, MDM is able to perform an Enterprise Wipe or a Device Reset.

DBS Therapy:
The system records security violations and loss of communications as part of the system design. Users are notified of
communication losses via the Therapy Applications (DBS CP App (A610) and DBS PP App (A620)) and can refer to
instructions for troubleshooting in the Clinician Programming Guide for A610 DBS CP App and Patient User Guide for
A620 DBS PP App.
Communication logs between devices within the system are encrypted and available on the Android devices
(Handset (HH90) and Clinician Tablet (CT900)) to be decrypted and read by Medtronic for review. The size and period
of retention may vary for different logs.
In addition, the Model A901 Communication Manager Application logs Communicator firmware downloads including
Communicator firmware version, Communicator serial number, and timestamp of update.

Contact Information:

Medtronic Technical Support

Tel. 1-800-707-0933

Manufacturer
Medtronic, Inc.
710 Medtronic Parkway,
Minneapolis, MN 55432-5604,
USA
www.medtronic.com
Tel. +1-763-505-5000

Authorized Representative EC REP

in the European Community
Medtronic B.V.
Earl Bakkenstraat 10,
6422 PJ Heerlen,

NDHF1550-189563 Ver 5.0 7 of 8

 The Netherlands
Tel. +31-45-566-8000

Europe/Africa/Middle East Headquarters

Medtronic International Trading Sàrl
Route du Molliau 31,
Case Postale 84
CH - 1131 Tolochenaz,
Switzerland
www.medtronic.eu
Tel. +41-21-802-7000

Asia-Pacific
Medtronic International Ltd.
50 Pasir Panjang Road,
#04-51 Mapletree Business City,
Singapore 117384,
Singapore
Tel. +65-6870-5510

© Medtronic 2020
All Rights Reserved

NDHF1550-189563 Ver 5.0 8 of 8