- Medtronic has found a cybersecurity vulnerability in an optional messaging feature in its Paceart Optima cardiac device data workflow system and reported the problem to the U.S. Cybersecurity & Infrastructure Security Agency.
- Medtronic has not observed any unauthorized access or patient harm related to the issue, the device maker said in an emailed statement.
- The company said it has notified healthcare delivery organizations about the vulnerability and has provided them with instructions to eliminate it.
The number of data breaches in healthcare continues to climb as the industry has become a prime target for cyber criminals who seek to access its troves of patient information. As more connected medical devices make their way into patient homes, ransomware, phishing and software vulnerabilities are among the biggest challenges facing the sector.
Medtronic’s Paceart Optima software application, which runs on a hospital's Windows server, collects cardiac device data from programmers and remote-monitoring systems from all major heart device makers to help support workflows, according to the company. The cybersecurity vulnerability Medtronic identified affects the system’s application server component.
Medtronic has not observed any cyberattacks, unauthorized access to data or loss of patient data related to the issue, the company said in a security bulletin. The optional messaging feature is not configured by default. However, the vulnerability could be exploited if healthcare organizations have enabled the messaging service, the device maker said.
“Medtronic takes any potential cybersecurity vulnerability in our products or systems very seriously. We are committed to a comprehensive, coordinated disclosure process, and we continually seek to improve these processes including our technical evaluation, required remediation, and speed of disclosure,” the company said.
An unauthorized user could exploit the vulnerability to perform remote code execution or a denial-of-service attack by sending specially crafted messages to the Paceart Optima system, CISA said in an advisory. Remote code execution could result in the deletion, theft or modification of the system’s cardiac device data, or the system could be used for further network penetration.