The U.S. government is warning of a critical-severity vulnerability in a heart monitor data management system made by Medtronic, which if exploited could result in remote code execution or a denial-of-service condition.
The deserialization of untrusted data flaw (CVE-2023-31222), for which patches are now available, exists on the Paceart Optima system, a software application that runs on healthcare organizations’ Windows servers, and collects, stores and retrieves patient cardiac device data from remote heart monitors. Specifically vulnerable is the system’s Paceart Messaging Service, which allows healthcare delivery organizations to send fax, email or pager messages within the Paceart Optima system.
The upside is that the Paceart Messaging Service is optional, as opposed to being configured by default - however, in the cases where it is enabled, the flaw is exploitable remotely and has a low attack complexity.
“Remote code execution could result in the deletion, theft, or modification of Paceart Optima system’s cardiac device data, or use of the Paceart Optima system for further network penetration,” said the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in its Thursday advisory. “A DoS attack could cause the Paceart Optima system to slow or be unresponsive.”
The flaw, which has a CVSS v3 score of 9.8, exists specifically in the Paceart Messaging Service’s implementation of the Microsoft Message Queuing Protocol. If the Paceart Messaging Service is enabled, an unauthorized user could exploit the flaw by sending specially crafted messages to the Paceart Optima system.
Beyond the ability to delete, steal or tamper with cardiac device data, the flaw can also be leveraged by attackers to then further penetrate healthcare organization systems through network connectivity. Still, though the alert says this vulnerability impacts historical patient data from heart monitors, no safety or effectiveness concerns are listed, noted Beau Woods, founder and CEO of Stratigos Security.
“A key element in protecting vulnerable devices and services is keeping them up-to-date with the latest security patches."
“In addition, the affected feature is disabled by default and Medtronic can update the software to more completely address the issue,” said Woods. “And the company is disclosing the information so that care facilities are informed of the issue and its impacts, and can take action. That’s all good news for patients.”
Medtronic said that versions 1.11 and prior of Paceart Optima are impacted by the flaw and recommended updating the system to version 1.12. In the meantime, mitigations include manually disabling the Paceart Messaging Service on the Application Server or manually disabling message queuing on the Application Server.
“At this time, Medtronic has not observed any cyberattacks, unauthorized access to or loss of patient data, or harm to patients related to this issue,” according to the company, which found the vulnerability during routine monitoring.
Medtronic has previously been under government scrutiny for the security of its devices. In 2019, Medtronic issued a recall for its MiniMed insulin pumps after the Food and Drug Administration (FDA) warned that a flaw in the devices could allow a threat actor to connect wirelessly to them and change their settings, allowing them to either deliver too much insulin, or not enough. In 2019, CISA issued an alert that warned of critical flaws in Medtronic medical devices like defibrillators, which could allow attackers to tamper with the devices.
Overall, to minimize the risk of this flaw, CISA said healthcare organizations should make sure their devices are not accessible from the internet, segment their control system networks and use secure methods like VPNs when remote access is required.
“A key element in protecting vulnerable devices and services is keeping them up-to-date with the latest security patches,” said Roey Vilnai, head of data with Cynerio, a connected medical device security company. “Medtronic released an update to the Paceart Optima service that mitigates the vulnerability and can be installed by contacting the company. However, patching is often not an option and in that case hospitals are required to implement compensating controls in order to minimize network exposure of connected medical devices and make sure they are not accessible from the internet.”