Security bulletins
Mirth Connect
Researchers have identified two security vulnerabilities located in Mirth Connect, a third-party open source healthcare data integration platform.
November 30, 2023
Summary
Researchers have identified two security vulnerabilities located in Mirth® Connect, a third-party, open source healthcare data integration platform. These vulnerabilities impact NextGen Mirth Connect 4.4.0 and prior versions. The vulnerabilities allow attackers to remotely execute arbitrary commands on the hosting server.
The products known to be impacted by these vulnerabilities, as well as recommended actions, are found below. Medtronic will update this security bulletin if additional impact is discovered or there are further recommended actions.
Medtronic is not aware of any cyberattacks, unauthorized access to or loss of patient data, or harm to patients related to these vulnerabilities.
Product impacted
Mainspring® data express
NextGen Mirth Connect is installed as an optional component of Mainspring® Data Express CareLink™ Electronic Health Record (EHR) Integration. Mainspring is used to export cardiac patient device data from the Medtronic CareLink™ network and is an optional component (installed separately) when using the CareLink network. Mirth is not owned nor developed by Medtronic.
For clarity, the following systems integrated with the CareLink network are NOT impacted:
- The Paceart Optima™ system is NOT impacted by these vulnerabilities; Mirth Connect is NOT used or installed when exporting data from the CareLink network to the Paceart Optima™ system.
- CareLink™ network customers who do NOT use Mainspring® are NOT impacted by these vulnerabilities; only CareLink™ network customers using Mainspring® with Mirth may be vulnerable.
Vital Sync™ virtual patient monitoring platform and informatics manager
Mirth Connect is a component that is used by a small number of Vital Sync customers to allow communication between medical devices from Welch Allyn and the Vital Sync™ software. If you are using Vital Sync and NOT communicating with medical devices from Welch Allyn, you will not have the vulnerable Mirth Connect component installed for proper operation of Vital Sync™. Medtronic has identified the Vital Sync™ customers that leverage the Mirth Connect component to communicate with Welch Allyn medical devices and will be contacting them directly regarding remediation.
Vulnerability overview
At this time, Medtronic is not aware of any cyberattacks, unauthorized access to or loss of patient data, or harm to patients related to these vulnerabilities.
The National Institute of Standards and Technology (NIST) published CVE-2023-37679 and CVE-2023-43208 to the National Vulnerability Database (NVD). Below is a short summary of each vulnerability with a link to their respective NIST NVD entries. NIST may publish new details as they become available:
- CVE-2023-43208 - This is a critical severity remote code execution (RCE) vulnerability that affects third party software Mirth Connect versions prior to 4.4.1. It can be exploited without authentication, allowing an attacker to execute arbitrary code on the affected system.
- CVE-2023-37679 - This is a critical severity remote code execution (RCE) vulnerability that affects third party software Mirth Connect versions prior to 4.4.0.
Recommended actions
Mainspring® data express
- Immediate mitigation actions: Mainspring® users should
- Check for the presence of Mirth Connect on your Mainspring server(s) (see final section in this Bulletin).
- If Mirth Connect version 4.4.0 (or prior) is present, uninstall Mirth Connect (see final section in this Bulletin).
- Once the prior version of Mirth Connect has been uninstalled, you can install Mirth Connect version 4.4.2 from the NextGen HealthCare website, which includes fixes for these vulnerabilities. After installation of Mirth Connect v4.4.2, update your Mirth Channel to match your previous configurations.
- To evaluate Mainspring® functionality, confirm that new transmissions are being processed without issue as well as confirm that you can manually export transmissions from CareLink™.
- Please update to Mainspring® 13.0. Available since April 2024, this release does not require the Mirth Connect component.
Vital Sync™ virtual patient monitoring platform and informatics manager
Medtronic will be contacting the Vital Sync™ customers it has identified leveraging the Mirth Connect component to allow communication between medical devices from Welch Allyn and the Vital Sync™ software. Vital Sync™ customers that are unsure if they use Mirth Connect to communicate with Welch Allyn devices can check for the presence of Mirth Connect on the server(s) where their Vital Sync™ install resides by referencing the final section in this Bulletin. If Vital Sync™ customers have Mirth Connect installed on a Vital Sync™ server to allow communication with Welch Allyn devices, please contact Medtronic for solution steps by email or by calling patient monitoring technical support at 1-800-255-6774, option 6.
For more information:
Mainspring® data express
Mainspring Data Express customers can contact Medtronic Technical Services at 1-800-929-4043, option 3.
Vital Sync™ virtual patient monitoring platform and informatics manager
Vital Sync™ customers can email rs.himsupportboulder@medtronic.com or contact patient monitoring technical support at 1-800-255-6774, option 6.
Detailed Mainspring® data express instructions:
To identify if you are using Mainspring®:
- Navigate to the CareLink™ web interface
- Click on “Transmissions” tab
- In the menu above the transmissions check for the Export folder icon
If the Export folder Icon is NOT present, then you are NOT using Mainspring, and you are NOT impacted. If the Export folder Icon is present, then you are using Mainspring®, and you should check for the presence of Mirth where your Mainspring® installation resides (i.e., server or workstation).
If you use a third-party provider (i.e., Murj, Pacemate, Implicity, etc.), consider contacting them for the location of the Mainspring® installation.
If you are using the Paceart Optima™ system, you are NOT impacted, as Paceart™ does NOT use Mirth.
To identify NextGen Mirth Connect through add/remove programs on Windows:
1. Open the control panel.
2. Click on programs and features.
3. Scroll through the list of programs and look for Mirth Connect.
4. If you see Mirth Connect in the list, then it is installed on your computer.
5. Note the version installed on your server.
To uninstall NextGen Mirth Connect through add/remove programs on Windows:
1. Before you begin, document your existing Mirth Channel configurations.
2. Open the control panel.
3. Click on programs and features.
4. Scroll through the list of programs and select Mirth Connect.
5. Click on uninstall and follow the prompts to uninstall Mirth Connect.
Detailed vital sync instructions:
To identify if NextGen Mirth Connect is installed on your vital sync server through the add/remove programs on Windows:
1. Open the control panel.
2. Click on programs and features.
3. Scroll through the list of programs and look for Mirth Connect.
4. If you see Mirth Connect in the list, then it is installed on your computer.
5. Note the version installed on your server.