CISA, Medtronic Urge Critical Patch of Cardiac Medical Device Tool Flaw

By the First Health Team

A vulnerability in the Medtronic Paceart Optima System could enable an attacker to launch remote code execution or a denial-of-service (DoS) attack that would affect the operation and data of the system, according to a recent Cybersecurity and Infrastructure Security Agency alert. The Paceart Optima System is used to collect and manage data of the cardiac devices.

The critical flaw has been given a CVSS v3 base score of 9.8 and requires prompt attention by healthcare network defenders.

“Although no reported exploitation has occurred, the risk associated with this vulnerability is significant and should take priority,” said First Health Advisory Chief Security Officer Matt Dimino.

The vulnerability is caused by a deserialization of untrusted data, for healthcare delivery organizations that have enabled the optional Paceart Messaging Service in the Paceart Optima system. If exploited, a threat actor could deploy malicious attacks by sending specially crafted messages to the system.

Further, a remote code execution could lead to the deletion, theft, or modification of the system’s cardiac device data. A threat actor could also use the exploit to move further onto the network or launch a DoS attack to interfere with the device function, either by slowing it down or even rendering the device unresponsive.

RCE attacks are highly dangerous, particular with this type of medical device. An attack could lead to data exfiltration or modification, which could significantly impact clinical use and workflows and patient safety. These devices typically hold large troves of data, perhaps upwards of 500 or more records, which would lead to a serious compromise.

As the attack could enable further network penetration, an exploit could also put adjacent systems at risk.

Medtronic has already provided both short-term and long-term remediation steps. The company recommends updating the system. Dimino notes these steps are clearly defined and can be resolved with internal staff.

“Both processes will need careful internal review as it requires an update or change to the application software, which, in some cases, can affect the clinician’s discernment of how the system behaves due to potential changes in the interface appearance, workflows, and other operational tasks,” said Dimino.

“Review the manufacturer’s data sheets and define the key differences in system application versions before proceeding,” he added. “The level of effort to mitigate or remediate is nominal, making this a `quick win for the organization.”

Medtronic recommends certain system users to contact the company for assistance, and in some instances, scheduling an appointment to update the impacted device. The CISA alert notes that if the Paceart Messaging Service continues to be disabled, the vulnerability will remain mitigated.