CISA warns of high-risk cyber vulnerability for Medtronic cardiac device data management system

Jul 06, 2023 - 03:11 PM
cybersecurity-hand-lock-graphic_900x400

The Cybersecurity & Infrastructure Security Agency is warning of a significant, high-risk vulnerability in Medtronic’s Paceart Optima System, which is used to compile and manage patients’ cardiac device data. CISA says the system’s versions 1.11 and prior are at risk of exploitation by unauthorized users, who can then perform remote code executions or launch denial-of-service attacks. The latter could slow or render the system unresponsive. 
 
Medtronic recommends immediately updating the Paceart Optima system to v1.12 to mitigate this issue. Contact Medtronic to schedule an upgrade and read CISA’s alert for a list of mitigation steps Medtronic recommends taking until the upgrade to v1.12 can be completed. 
  
“As with many medical device cyber vulnerabilities, hospitals and health systems are dependent upon third-party medical device manufacturers (MDM) to develop and deploy patches, which may require an extended time for the MDM to fully implement across its customer base,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “In this case, we hope that Medtronic has devoted sufficient resources to handle the increased demand for the upgrade to v1.12 to mitigate this critical vulnerability in an expedited manner. In the interim, per CISA and Medtronic, it is recommended that organizations manually disable the Paceart Messaging Service on the application server. This issue also serves as reminder for hospitals and health systems to ensure efficient communication and alignment between clinical engineering and information security teams for efficient monitoring and mitigation of cyber vulnerabilities present in medical devices.” 

Related News Articles

Headline
CISA releases guidance following reported legacy Oracle cloud breach
The Cybersecurity and Infrastructure Security Agency April 17 released guidance to reduce risks associated with a reported breach of Oracle cloud services.…
Headline
Agencies issue guidance on navigating deceptive online recruitment of current and former federal employees
The National Counterintelligence and Security Center, the FBI, and the Defense Counterintelligence and Security Center yesterday released guidance on…
AHA Cyber Intel
[Updated] 3 Must-know Cyber and Risk Realities: What’s Ahead for Health Care in 2025
While the rate of cyberattacks on hospitals has risen dramatically, the severity of the impacts has also grown exponentially. Let’s look at the state of cyber…
Headline
House subcommittee holds hearing on cybersecurity vulnerabilities in legacy medical devices
The House Energy and Commerce Oversight and Investigations Subcommittee April 1 discussed cybersecurity threats in legacy medical devices during a hearing. The…
Headline
Administration extends national emergency for cyber threats
The Trump Administration March 28 announced that it renewed for one year the public emergency for ongoing malicious cyber-enabled activities against the U.S.…
Headline
FBI says no specific, credible threat targeting U.S. hospitals
The FBI March 26 advised that, after extensive investigation and intelligence review, they have not identified any specific credible threat targeted against…