The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning on the Medtronic
(NYSE: MDT)
cardiac device data workflow system.
This vulnerability affects Paceart Optima systems, versions 1.11 and prior.
CISA lists the vulnerability as the deserialization of untrusted data, “exploitable remotely” with “low attack complexity.” The agency says successful exploitation could result in a remote code execution or a denial-of-service condition. This could impact a healthcare delivery organization’s Paceart Optima system.
If a healthcare delivery organization enabled the optional Paceart Messaging Service in the system, an unauthorized user could exploit the vulnerability. The unauthorized user may perform remote code execution and/or denial-of-service attacks, the CISA notice said. They could send specifically crafted messages to the system.
Remote code execution could result in the deletion, theft or modification of Paceart Optima’s cardiac device data. It may also result in use of the system for further network penetration. A denial-of-service attack could cause the system to slow or be unresponsive. No known public exploits specifically target this vulnerability.
Medtronic recommends updating the Paceart Optima system to version 1.12. Customers can contact the company to schedule the update. The company also provided immediate mitigations and other suggested actions, listed here on the CISA notice.
Medtronic statement on the CISA notice
A Medtronic spokesperson shared a statement with MassDevice confirming the identification of a vulnerability in the optional messaging feature. To date, the company observed no unauthorized access or patient harm to the issue. Medtronic notified healthcare delivery organizations about the vulnerability and provided them with instructions to eliminate it. In order for the vulnerability to be exploited, the company noted healthcare deliver organizations must have proactively enabled the optional messaging feature.
“Medtronic takes any potential cybersecurity vulnerability in our products or systems very seriously,” the statement reads. “We are committed to a comprehensive, coordinated disclosure process, and we continually seek to improve these processes including our technical evaluation, required remediation, and speed of disclosure.”
More information about product security at Medtronic is available at www.medtronic.com/security.