Alerts: Security Flaw in Medication, Anesthesia SystemsExperts Offer Insights on Setting Risk Management Priorities During COVID-19 Crisis
A vulnerability in medication dispensing equipment and an anesthesia system from manufacturer Becton Dickinson could enable an attacker to access and modify sensitive data, according to alerts issued Tuesday.
Security challenges involving medical devices are potentially heightened while healthcare organizations are struggling with the response to the COVID-19 pandemic.
"As for the stretched thin healthcare teams, prioritization is the key," says former healthcare CISO Mark Johnson, who heads the healthcare practice at consulting firm LBMC Information Security. "The cyber teams we're working with are mostly remote and are being asked to prioritize efforts."
Segmentation is the key to protect vulnerable medical devices, he adds. "That's hard to do in normal times and almost impossible today. I would recommend that everyone prioritize patches and vulnerabilities to focus on the availability of resources for core critical systems and medical devices like ventilators. Everything else is taking a backseat until we get through this."
In their alerts, the Department of Homeland Security's U.S. Computer Emergency Readiness Team and BD say the company recently discovered a "protection mechanism failure" vulnerability in certain models of the manufacturer's Pyxis MedStation and Pyxis Anesthesia (PAS) ES Systems.
"The affected BD medical devices utilize a method of software application implementation called 'kiosk mode'," US-CERT says in its alert. "This kiosk mode is vulnerable to local breakouts, which could allow an attacker with physical access to bypass kiosk mode and view and/or modify sensitive data."
A restricted desktop environment escape vulnerability exists in the kiosk mode functionality of affected devices, US-CERT adds. "Specially crafted inputs could allow the user to escape the restricted environment, resulting in access to sensitive data."
BD in its alert says the company has not received any reports of this vulnerability being exploited. The company's alert notes that it's in the process of deploying a security update that strengthens kiosk mode. BD says access to tools for viewing or manipulating local resources will be restricted.
"Based on the risk evaluation, the probability of harm is low, considering an unauthorized user would need physical access to the system to escape kiosk mode," BD says. "The medical benefit for continued use of the systems outweighs the risks associated with this vulnerability."
The vulnerability impacts medication dispensing system, Pyxis MedStation ES System, v. 1.6.1 and the BD Pyxis Anesthesia (PAS) ES System, v. 1.6.1. These products are deployed globally, US-CERT notes.
BD in its alert recommends certain mitigations and compensating controls to reduce risk associated with the vulnerability. Those include:
- Limit physical access of the Pyxis Medstation ES and Anesthesia (PAS) ES System to only authorized users;
- Isolate impacted systems and only connect them to trusted systems;
- Monitor and investigate unplanned re-boots of systems using network monitoring tools provided by customer IT departments.
In a statement provided to ISMG, BD CISO Rob Suárez advises healthcare delivery organizations to strengthen their cybersecurity protocols in response to increased cyberthreats during the COVID-19 crisis.
Operational guidelines for cybersecurity include, but are not limited to, the following, he says:
- Use strong network controls, such as the latest WPA protocols, for wireless authentication;
- Use intrusion detection systems and monitor wireless networks for possible malicious activity;
- Operate critical services on a secured network behind separate firewalls;
- Regularly maintain all recommended patches;
- Utilize malware protection;
- Restrict system access to authorized personnel only and follow a principle of least privilege approach;
- Disable any unnecessary accounts, protocols and services;
- Educate staff about maintaining physical, technical and administrative security protocols, including behaviors aimed at protecting the organization from social engineering and phishing attacks.
"BD maintains an unwavering commitment to cybersecurity and is closely monitoring for increased cyber activity as cybercriminals attempt to exploit the COVID-19 crisis," a BD spokeswoman tells ISMG.
"In response to the increased cyber threat activity globally, BD has strengthened its internal cybersecurity protocols to detect and prevent attacks aimed at creating disruption or compromising security or privacy. BD remains vigilant in monitoring product security and will continue to proactively and voluntarily publish product security bulletins and notifications as needed so our customers on the front lines can properly manage potential vulnerabilities with minimal disruption and focus on caring for their patients."
Assessing the Risk
Johnson of LBMC Information Security says the specific vulnerability impacting the BD medical gear is "a low risk" given the physical proximity required to exploit it. "I didn't see anything else in the alert that would make me think there is a higher risk level."
But healthcare organizations should alert their staff to take extra precautions about leaving these devices unattended in areas that cannot be monitored, says Clyde Hewitt, executive adviser at the security consultancy CynergisTek.
"It is interesting to note that while these Pyxis models can be bypassed, there is a higher risk and probability of a successful physical attack by using the default user ID and passwords that are published in several places on the internet," he says. "Until healthcare organizations have implemented a robust password management process, these devices should be protected from unauthorized physical access."
The alerts about the BD devices come as healthcare organizations are fighting the COVID-19 pandemic and facing shortages of critical medical supplies and equipment, including ventilators (see COVID-19: Security Risks as Manufacturers Shift Gears).
The Food and Drug Administration on March 28 issued guidance for how the healthcare sector can help expand the availability of ventilators as well as other respiratory devices and their accessories during this pandemic.
The guidance notes that the FDA "does not intend to object to limited modifications to ... the hardware, software or materials of FDA-cleared devices used to support patients with respiratory failure or respiratory insufficiency." That includes limited modifications to certain anesthesia equipment for use as a ventilator to support patients with respiratory failure or respiratory insufficiency.
The BD spokeswoman tells ISMG that the BD Pyxis Anesthesia ES System that is a subject of the vulnerability alert "does not deliver anesthesia directly to patients and would not be a candidate for being repurposed as a ventilator in response to the COVID-19 crisis."
Matthew Dimino, medical device security consultant at CynergisTek, notes there are numerous potential risks associated with medical equipment utilization beyond its intent and normal environment.
"In this case with equipment such as anesthesia machines being used as ventilators, this poses a lot of risks. Most of these devices are located in operating rooms and special procedure areas. Anesthesia machines are designed to be mobile, but most do not fit the form factor that normal ventilators conform to."