Medtronic finds hacking risk in heart device data management system

Medtronic has identified a vulnerability that could potentially allow hackers to access the cardiac device data stored in its Paceart Optima data workflow systems.

The technology is used by healthcare providers as a single place to compile the health data of patients using heart devices. It accepts transmissions from implants, programmers and remote monitoring devices made by both Medtronic and competitors like Boston Scientific and Abbott, including data gathered in the clinic and at a patient’s own home.

Once all the information has been compiled within the Paceart system, it can also be integrated with a hospital’s existing electronic health record system.

According to a security bulletin Medtronic posted Thursday, the cybersecurity flaw is associated with the optional messaging feature that’s built into the Paceart Optima technology but isn’t automatically activated in the system’s default configuration.

If a healthcare provider has chosen to enable the feature, a hacker may be able to use it to access data stored in the system and modify, delete or steal the information. Additionally, because the Paceart system is hosted on a hospital’s Windows server, a bad actor could also potentially use the vulnerability as a pathway toward “further network penetration,” according to Medtronic.

The devicemaker discovered the issue during routine monitoring and reported it to the federal Cybersecurity and Infrastructure Security Agency (CISA). CISA, in turn, has given the vulnerability a rating of 9.8 on the Common Vulnerability Scoring System (CVSS), a scale of 1 to 10. The Medtronic system’s score denotes a “critical” severity, thanks to the issue’s “low attack complexity” and the fact that hackers could exploit it remotely, without needing physical access to a hospital’s network, per CISA.

To date, Medtronic said it hasn’t received any reports of cyberattacks, harm to patients or unauthorized access to or loss of patient data associated with the cybersecurity flaw.

Medtronic has already developed an update to the Paceart Optima software that removes the vulnerability from the system by erasing the messaging service function. All healthcare providers using versions 1.11 and earlier of the system should contact Medtronic to schedule an update to the issue-mitigating version 1.12 software.

In the meantime, until the update has been completed, Medtronic provided instructions in the security bulletin explaining how to disable the messaging service and the message queuing feature until the service can be fully removed. According to the company, after those steps are taken, “the vulnerable code will still be present in the application, but will no longer be exploitable.”

In a statement sent to Fierce Medtech, Medtronic said it has notified healthcare delivery organizations about the vulnerability and shared the above actions with them.

“Medtronic takes any potential cybersecurity vulnerability in our products or systems very seriously,” the statement continued. “We are committed to a comprehensive, coordinated disclosure process, and we continually seek to improve these processes including our technical evaluation, required remediation and speed of disclosure.”