CISA issues warning for cardiac device system vulnerability

July 4, 2023 – Published on The Record

The Cybersecurity and Infrastructure Security Agency (CISA) warned of a severe vulnerability in a cardiac device from medical device company Medtronic.

The issue – tracked as CVE-2023-31222 – carries a “critical” CVSS score of 9.8 out of 10 and affects the company’s Paceart Optima software that runs on a healthcare organization’s Windows server.

The application “stores, and retrieves cardiac device data from programmers and remote monitoring systems from all major cardiac device manufacturers to aid in standard workflows.”

Medtronic said in an advisory that if exploited, the vulnerability allows hackers to delete, steal or modify data from a cardiac device. Hackers can also use the device’s issues to penetrate into a healthcare organization’s network.

GuidePoint Security operational technology consultant Christopher Warner told Recorded Future News that this vulnerability is a prime example for manufacturers and suppliers to take proactive measures and advise on vulnerabilities as soon as they are discovered to allow medical service providers time to manage remediation.

“Bad actors could use these vulnerabilities to perform remote code execution to manipulate heart analysis data and misdiagnose a patient’s cardiac health,” he said.

Read More HERE.