Mirth Connect Vulnerabilities

November 30, 2023

Summary

Researchers have identified two security vulnerabilities located in Mirth® Connect, a third-party, open source healthcare data integration platform.  These vulnerabilities impact NextGen Mirth Connect 4.4.0 and prior versions. The vulnerabilities allow attackers to remotely execute arbitrary commands on the hosting server.

The products known to be impacted by these vulnerabilities, as well as recommended actions, are found below.  Medtronic will update this Security Bulletin if additional impact is discovered or there are further recommended actions. 

Medtronic is not aware of any cyberattacks, unauthorized access to or loss of patient data, or harm to patients related to these vulnerabilities.

Products impacted

Mainspring® Data Express

NextGen Mirth Connect is installed as an optional component of Mainspring™ Data Express CareLink™ Electronic Health Record (EHR) Integration. Mainspring is used to export cardiac patient device data from the Medtronic CareLink™ network and is an optional component (installed separately) when using the CareLink network.  Mirth is not owned nor developed by Medtronic.

For clarity, the following systems integrated with the CareLink network are NOT impacted:

  • The Paceart Optima™ system is NOT impacted by these vulnerabilities; Mirth Connect is NOT used or installed when exporting data from the CareLink network to the Paceart Optima™ system.
  • CareLink network customers who do NOT use Mainspring  are NOT impacted by these vulnerabilities; only CareLink network customers using Mainspring with Mirth may be vulnerable.

Vital Sync™ Virtual Patient Monitoring Platform and Informatics Manager

Mirth Connect is a component that is used by a small number of Vital Sync customers to allow communication between medical devices from Welch Allyn and the Vital Sync software.  If you are using Vital Sync and NOT communicating with medical devices from Welch Allyn, you will not have the vulnerable Mirth Connect component installed for proper operation of Vital Sync.  Medtronic has identified the Vital Sync customers that leverage the Mirth Connect component to communicate with Welch Allyn medical devices and will be contacting them directly regarding remediation.

Vulnerability Overview

At this time, Medtronic is not aware of any cyberattacks, unauthorized access to or loss of patient data, or harm to patients related to these vulnerabilities.

The National Institute of Standards and Technology (NIST) published CVE-2023-37679 and CVE-2023-43208 to the National Vulnerability Database (NVD).  Below is a short summary of each vulnerability with a link to their respective NIST NVD entries. NIST may publish new details as they become available:

  • CVE-2023-43208 - This is a critical severity remote code execution (RCE) vulnerability that affects third party software Mirth Connect versions prior to 4.4.1. It can be exploited without authentication, allowing an attacker to execute arbitrary code on the affected system.
  • CVE-2023-37679 - This is a critical severity remote code execution (RCE) vulnerability that affects third party software Mirth Connect versions prior to 4.4.0.

Recommended Actions

Mainspring® Data Express

  • Immediate mitigation actions: Mainspring users should
    1. Check for the presence of Mirth Connect on your Mainspring server(s) (see final section in this Bulletin).
    2. If Mirth Connect version 4.4.0 (or prior) is present, uninstall Mirth Connect (see final section in this Bulletin).
    3. Once the prior version of Mirth Connect has been uninstalled, you can install Mirth Connect version 4.4.2 from the NextGen HealthCare website, which includes fixes for these vulnerabilities.  After installation of Mirth Connect v4.4.2, update your Mirth Channel to match your previous configurations.
    4. To evaluate Mainspring functionality, confirm that new transmissions are being processed without issue as well as confirm that you can manually export transmissions from CareLink.
  • Long term remediation action: Upon release in early 2024, please update to Mainspring 13.0, which does not require the Mirth Connect component.

Vital Sync™ Virtual Patient Monitoring Platform and Informatics Manager

Medtronic will be contacting the Vital Sync customers it has identified leveraging the Mirth Connect component to allow communication between medical devices from Welch Allyn and the Vital Sync software. Vital Sync customers that are unsure if they use Mirth Connect to communicate with Welch Allyn devices can check for the presence of Mirth Connect on the server(s) where their Vital Sync install resides by referencing the final section in this Bulletin.  If Vital Sync customers  have Mirth Connect installed on a Vital Sync server to allow communication with Welch Allyn devices, please contact Medtronic for solution steps through email (rs.himsupportboulder@medtronic.com) or by calling Patient Monitoring technical support (1-800-255-6774 option 6).

For more information:

Mainspring® Data Express

Mainspring Data Express customers can contact Medtronic Technical Services at 1-800-722-3278.

Vital Sync™ Virtual Patient Monitoring Platform and Informatics Manager

Vital Sync customers can email rs.himsupportboulder@medtronic.com or contact Patient Monitoring technical support at 1-800-255-6774 option 6.

Detailed Mainspring Data Express Instructions:

To Identify if you are using Mainspring:

  1. Navigate to the CareLink Web Interface
  2. Click on “Transmissions” tab
  3. In the menu above the transmissions check for the Export folder icon

If the Export folder Icon is NOT present, then you are NOT using Mainspring, and you are NOT impacted.  If the Export folder Icon is present, then you are using Mainspring, and you should check for the presence of Mirth where your Mainspring installation resides (i.e., server or workstation).  

If you use a third-party provider (i.e., Murj, Pacemate, Implicity, etc.), consider contacting them for the location of the Mainspring installation.

If you are using the Paceart Optima system, you are NOT impacted, as Paceart does NOT use Mirth.

active transmissions

To identify NextGen Mirth Connect through Add/Remove Programs on Windows:

1. Open the Control Panel.

2. Click on Programs and Features.

3. Scroll through the list of programs and look for Mirth Connect.

Mirth Connect installed

4. If you see Mirth Connect in the list, then it is installed on your computer.

5. Note the version installed on your server.

 

To uninstall NextGen Mirth Connect through Add/Remove Programs on Windows:

1. Before you begin, document your existing Mirth Channel configurations.

2. Open the Control Panel.

3. Click on Programs and Features.

4. Scroll through the list of programs and select Mirth Connect.

Mirth Connect installed

5. Click on Uninstall and follow the prompts to uninstall Mirth Connect.

Detailed Vital Sync Instructions:

To identify if NextGen Mirth Connect is installed on your Vital Sync Server through the Add/Remove Programs on Windows:

1. Open the Control Panel.

2. Click on Programs and Features.

3. Scroll through the list of programs and look for Mirth Connect.

Mirth Connect installed

4. If you see Mirth Connect in the list, then it is installed on your computer.

5. Note the version installed on your server.