Alerts: Flaws in Ultrasound, Open-Source Hospital SystemsDHS Advisories Spotlight Authentication, Other Security Issues
Federal authorities have issued security advisories related to vulnerabilities in ultrasound systems from a major medical device maker, and multiple flaws in an open-source hospital information management system used primarily by smaller entities. Together the alerts highlight the range security risks spanning various segments of the healthcare sector globally.
The recent Department of Homeland Security advisories include a June 25 alert about authentication vulnerabilities identified and reported to DHS' Cybersecurity and Infrastructure Security Agency by medical device maker Philips in certain versions of the company's ultrasound systems.
The other CISA alert issued on July 2 pertains to a variety of vulnerabilities identified and reported by an independent security researcher relating to OpenClinic GA, an integrated hospital information management system developed by an open-source community on Source Forge.
The two alerts highlight the range of security issues faced by various segments of the healthcare sector, and the need for all healthcare organizations to be proactive in assessing and addressing vulnerabilities that potentially jeopardize data and patients, some experts note.
"The biggest lesson is how important it is to perform a thorough security risk analysis as early as possible in the procurement or implementation cycle," says Cathie Brown, vice president of professional services at security and privacy consulting firm Clearwater.
"Organizations must give themselves enough time to uncover security flaws and vulnerabilities long before they seriously consider the use of open-source or purchase of a system," she says. "This includes vulnerability scanning and threat assessment as part of their purchasing due diligence."
Philips Vulnerability Details
The vulnerability identified in certain Philips ultrasound systems involves "authentication bypass using an alternate path or channel," which if successfully exploited may allow a non-authenticated attacker to view or modify information, the DHS alert notes.
Philips ultrasound systems impacted by the vulnerability include certain various versions of the ClearVue, CX, EPIQ/Affiniti, Sparq and Xperius products, which are available worldwide.
In a statement provided to Information Security Media Group, Philips says its analysis indicates "that this is not a device safety issue, and there is no expectation of patient hazard. To date, Philips has not received reports of this vulnerability being exploited in clinical use."
Exploiting the issue requires not only local access to an affected system and but a high technical skill level to exploit, Philips adds. "If a successful exploitation occurs, the only result is that an unauthorized user may be able to enable and access ultrasound device features that were not included with system purchase."
Depending upon the specific ultrasound system product and version impacted by the vulnerability, Philips has already issued - or plans to release before year-end - software updates to address the problem, the company says in its own advisory to customers.
DHS in its alert also recommends users to take a variety of "defensive measures to minimize the risk of exploitation of this vulnerability." That includes:
- Implement physical security measures to limit or control access to critical systems;
- Restrict system access to authorized personnel only and follow a least privilege approach;
- Apply defense-in-depth strategies;
- Disable unnecessary accounts and services.
Philips did not immediately respond to an ISMG inquiry regarding the estimated number of ultrasound systems affected by the vulnerability worldwide.
OpenClinic GA Flaws
While the authentication vulnerability identified in certain Philips ultrasound systems affect a popular line of medical devices from a major manufacturer worldwide, the vulnerabilities highlighted in the DHS alert pertaining to OpenClinic GA involve a wider range of issues in an open-source hospital information management system that tends to be used globally by a smaller audience of healthcare entities that have more limited IT resources, some experts note.
In its alert, DHS notes the OpenClinic GA vulnerabilities were reported by an independent security researcher, Brian Hysell, who did not immediately respond to an ISMG request for additional details about his findings.
According to DHS, the list of vulnerabilities identified in OpenClinic GA potentially can be remotely exploited with a "low skill level" utilizing "public exploits."
The OpenClinic GA vulnerabilities include "authentication bypass using an alternate path or channel" - similar to the Philips ultrasound issue.
However, the OpenClinic GA security problems also contain a number of other authentication issues and other flaws.
These include: improper restriction of excessive authentication attempts; improper authentication; missing authorization; execution with unnecessary privileges; unrestricted upload of file with dangerous type; path traversal; improper authorization; cross-site scripting; use of unmaintained third-party components; insufficiently protected credentials, and hidden functionality, according the DHS.
DHS also notes that successful exploitation of these vulnerabilities could allow an attacker to bypass authentication, discover restricted information, view/manipulate restricted database information, and/or execute malicious code.
Steps to Take
OpenClinic GA and Source Forge did not immediately respond to an ISMG request for comment on the DHS advisory or the steps being taken by the OpenClinic GA open-source community to address the security vulnerabilities.
However, in its alert, DHS recommends a list of steps for OpenClinic GA users to take to minimize the risk of exploitation of the various vulnerabilities, including:
- Ensure that least-privilege user principle is followed;
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet;
- Locate control system networks and remote devices behind firewalls, and isolate them from the business network;
- When remote access is required, use secure methods, such as virtual private networks.
Some security experts note that in general, vulnerabilities involving authentication in medical devices - especially legacy products - are a frequent issue for the healthcare sector.
"Authentication flaws are a common problem, and hard to get right," says Kevin Fu, chief scientist and founder of the Archimedes Center for Healthcare and Device Security at the University of Michigan.
"As manufacturers begin to integrate the Food and Drug Administration's recognized cybersecurity consensus standards such as AAMI TIR 57, these problems will eventually be designed out. However, it will take a long time for legacy systems to move on," he notes.
But other experts note that authentication issues are not just a problem for medical devices - they are also unfortunately a frequent issue for other health IT products - as spotlighted by the alert concerning the OpenClinic GA hospital information management system.
"Overall, authentication vulnerabilities are one of the most significant issues to the security of electronic protected health information," Brown says. "That is true whether at the application or at the device level," she says.
However, authentication issues tend to be more prominent in medical devices "because until the last few years, medical devices were considered standalone equipment used at the patient or bedside," she notes. Adding, "Now that these devices are connected to the network, integrated with other devices and electronic health record systems, security vulnerabilities are much more critical. Medical devices usually have a much longer life span than traditional IT devices. This means it is much more difficult to implement the same level of security controls to devices that may be five or more years old."
But the variety of vulnerabilities identified in the OpenClinic GA software is especially troubling, says former healthcare CIO David Finn, executive vice president at security and privacy consultancy CynergisTek.
The OpenClinic GA flaws spotlighted by the DHS alert "unfortunately, it is a long list, and several are very concerning," Finn says.
"Several are related to authentication, which, taken together represent a significant vulnerability, [which] opens the system to brute force attacks or execution of administrative functions on the system, such as SQL queries," he notes.
Also, "there is an issue around permission checking related to executing SQL queries which could allow a low-privilege user access to privileged information. The system does not properly verify uploaded files, which could allow low-privilege users to upload and execute arbitrary files," he adds.
Also, the OpenClinic GA system appears to include third-party software versions "that are end-of-life and contain known vulnerabilities, which could allow remote code execution," Finn adds.
However, "maybe most concerning is the fact that the system stores passwords using inadequate hashing difficulty, which may allow an attacker to recover passwords using known password cracking techniques."
Open Source Risks?
While the general use of open-source software appears in nearly every sector, the use of niche open-source clinical software systems such as OpenClinic GA does not tend to have as wide-spread deployment healthcare, some experts note.
In general, open source software "does tend to be found in smaller organizations - physician practices, labs - as a cost avoidance decision," Finn says. "But it also tends to show up in organizations that are academic or have large research components, he adds.
But Brown says the use of open source software in healthcare environments may be more prevalent than some realize. "Even in healthcare environments using commercial out of the box software, there are middleware and custom applications that are based on open source code," she notes.
"The key for organizations will always be diligent and thorough threat intelligence and vulnerability management. Open-source software can be a good tool for cash strapped providers for select application needs."