CISA Warns Health Care Organizations of Paceart Optima Software Vulnerability

The Cybersecurity and Infrastructure Agency has issued a warning about a vulnerability affecting Medtronic’s cardiac devices.

Medtronic’s Paceart Optima software stores and retrieves cardiac device data for programmers and remote monitoring systems for major cardiac device manufacturers. According to Medtronic, hackers can delete, steal or change data from a cardiac device if they manage to penetrate a health care organization’s network.

Other risks include unwanted remote code execution and denial-of-service attacks, The Record reported Tuesday.

Medtronic said Paceart Optima versions 1.11 and earlier are affected, but no exploitation has been identified thus far. CISA discovered the vulnerability, labeled CVE-2023-31222, during a routine monitoring activity.

The CISA advisory comes months after the FBI warned organizations about hundreds of vulnerabilities affecting medical devices. According to the FBI, unpatched medical devices running on outdated software and devices that lack adequate security make it easier for hackers to exploit vulnerabilities and impact patient safety and operations.

Months before the FBI warning, the Department of Health and Human Services warned organizations about potential cyberattacks from the Lapsus$ ransomware group. The warning followed a Lapsus$ attack on Okta’s systems in January that had implications for the health care sector.