American medical device company Medtronic said it has identified a vulnerability in its heart device data management system, which if exploited can lead to data being deleted, stolen, or modified.
Medtronic’s Paceart Optima is a software application that runs on a healthcare delivery organization’s Windows server. The application collects, stores, and retrieves cardiac device data from programmers and remote monitoring systems from all major cardiac device manufacturers to aid in standard workflows.
The company said during routine monitoring it identified a vulnerability in the applications’ optional messaging feature, which is “not configured by default, and cannot be exploited unless enabled”, the company said in a security bulletin.
If a healthcare delivery organization has enabled the optional service, “an unauthorized user could exploit this vulnerability to perform Remote Code Execution (RCE) and/or Denial of Service (DoS) attacks by sending specially crafted messages to the Paceart Optima system,” the company said.
While an RCE could result in the Paceart Optima system’s cardiac device data being deleted, stolen, or modified, or the Paceart Optima system being used for further network penetration, a DoS attack could cause the Paceart Optima system to become slow or unresponsive.
Besides, the vulnerability was seen specifically in the Paceart messaging service’s implementation of the Microsoft message queuing protocol.
The messaging service enables healthcare delivery organizations to send fax, email, and pager messages within the Paceart Optima system.
Medtronic said it has not so far “observed any cyberattacks, unauthorized access to or loss of patient data, or harm to patients related to this issue”. But to eliminate such a possibility, companies can install a new update of the data management system.
The vulnerability is present in Paceart Optima system versions 1.11 and earlier.
The company thus asked all healthcare providers using versions 1.11 and earlier of the system to contact the company to schedule an update to the issue-mitigating version 1.12 software.
Meanwhile, Medtronic also provided immediate, temporary steps to prevent the exploitation of this vulnerability such as how to disable the messaging service and the message queuing feature.
However, it said, even after those steps are taken, “the vulnerable code will still be present in the application, but will no longer be exploitable.”
“For complete mitigation on the application server, update the Paceart Optima system to version 1.12. This update removes the Paceart Messaging Service function and fully remediates the vulnerability on the Application Server,” the company said.
