CISA issues warning for cardiac device system vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) warned of a severe vulnerability in a cardiac device from medical device company Medtronic.

The issue – tracked as CVE-2023-31222 – carries a “critical” CVSS score of 9.8 out of 10 and affects the company’s Paceart Optima software that runs on a healthcare organization’s Windows server.

The application “stores, and retrieves cardiac device data from programmers and remote monitoring systems from all major cardiac device manufacturers to aid in standard workflows.”

Medtronic said in an advisory that if exploited, the vulnerability allows hackers to delete, steal or modify data from a cardiac device. Hackers can also use the device’s issues to penetrate into a healthcare organization’s network.

“Medtronic has identified a vulnerability in an optional messaging feature in the Paceart Optima cardiac device data workflow system. This feature is not configured by default, and it cannot be exploited unless enabled,” the company said.

“Healthcare delivery organizations should work with Medtronic Paceart technical support to install an update to the Paceart Optima application to eliminate this vulnerability from the Paceart Application Server.”

The issue affects all application versions 1.11 and earlier. Medtronic said it has not seen any exploitation of the bug so far.

CVE-2023-31222 was discovered during “routine monitoring,” according to Medtronic, explaining that the vulnerability is within the software’s messaging service which allows healthcare organizations to send fax, email, and pager messages within the Paceart Optima system.

A hacker could use it to perform remote code execution (RCE) and denial-of-service (DoS) attacks by sending specially crafted messages to the Paceart Optima system. RCE attacks would allow an attacker to delete, steal or modify data from a cardiac device while a DoS attack could effectively shut down a device.

Sonu Shankar, vice president of cybersecurity firm Phosphorus, said the system collects data like device alerts, patient compliance, appointments, remote monitoring and more.

“If you can compromise or interfere with that data, or the use of that data, you can severely impact patient care and hospital operations overall. This means both patients and the healthcare providers are at risk here,” Shankar said.

“While the disclosure doesn’t mention a direct threat to the cardiac devices themselves, the inability to retrieve and manage data from them would severely impact hospital operators, especially as the system comprehensively covers data enabling decision making around patient care. Since the vulnerability allows for remote code execution within the Optima System, there remains the possibility that a sophisticated attacker could find ways to interfere with the device’s overall maintenance and associated hospital workflows.”

Shankar noted that the vulnerability is not complex and would be useful to the kind of ransomware groups that typically target hospitals and healthcare organizations.

The most likely scenario would be that a ransomware group uses the vulnerability to both encrypt and extort patient data, Shankar added, explaining that overall, there has been a significant increase in the exploitation of IoT devices.

The vast majority of medical devices in clinical settings, Shankar said, run without mature password policies, dramatically increasing the likelihood of a threat actor holding those devices for ransom.

In September, the FBI warned that hundreds of vulnerabilities in widely used medical devices are leaving a door open for cyberattacks. The FBI specifically cited vulnerabilities found in intracardiac defibrillators, mobile cardiac telemetry and pacemakers, noting that malicious hackers could take over the devices and change readings, administer drug overdoses, or “otherwise endanger patient health.”

“Cyber threat actors exploiting medical device vulnerabilities adversely impact healthcare facilities’ operational functions, patient safety, data confidentiality, and data integrity,” the alert said.

GuidePoint Security operational technology consultant Christopher Warner told Recorded Future News that this vulnerability is a prime example for manufacturers and suppliers to take proactive measures and advise on vulnerabilities as soon as they are discovered to allow medical service providers time to manage remediation.

“Bad actors could use these vulnerabilities to perform remote code execution to manipulate heart analysis data and misdiagnose a patient’s cardiac health,” he said.