Alerts: Vulnerabilities in 6 Medical DevicesDHS Warns of Security Issues in Devices from Baxter, BD and Biotronik
Federal authorities are sounding the alarm about cybersecurity vulnerabilities in six medical devices from three manufacturers. The device makers are providing risk mitigation advice.
On Thursday, the Industrial Control Systems' Computer Emergency Response Team - a unit of Department of Homeland Security's Cybersecurity and Infrastructure Security Agency - issued six alerts about vulnerabilities in medical devices from Baxter, BD and Biotronik.
Some of the flaws - if exploited - could result in compromises of patient information and allow attackers to alter data or system configurations or launch a distributed denial-of-service attack.
Four of the six DHS alerts pertain to several medical device products from Deerfield, Ill.-based manufacturer Baxter, which identified and reported the problems to CISA.
The device alerts pertain to:
Baxter ExactaMix - Vulnerabilities in this medication compounding gear include use of hard-coded passwords, cleartext transmission of sensitive data, missing encryption of sensitive data, improper access control, exposure of resource to wrong sphere and improper input validation. Successful exploitation of these vulnerabilities could result in unauthorized access to sensitive data, alteration of system configuration, alteration of system resources, and impact to system availability. The company issued a statement with mitigation steps, including segmenting the ExactaMix Compounder from the enterprise main network and blocking all non-required communication via firewall and ACL configuration.
Baxter Sigma Spectrum Infusion Pumps - Vulnerabilities include use of hard-coded passwords, cleartext transmission of sensitive data, incorrect permission assignment for critical resources and operation on a resource after expiration or release. Exploitation could result in access to sensitive data, alteration of system configuration and impact to system availability. Baxter says mitigation steps include isolating Spectrum infusion systems to their own network VLAN to segregate the systems from other hospital systems and reduce the probability that a threat actor could execute a "man in the middle" attack against the system to observe clear-text communications.
Baxter Phoenix Hemodialysis Delivery System - The vulnerability involves cleartext transmission of sensitive information in the renal therapy system. Exploitation could allow an attacker with unauthorized network access to view sensitive data. Baxter says mitigation steps include ensuring that Phoenix machines and Exalis Server PCs reside on a dedicated subnetwork.
Baxter PrismaFlex and PrisMax - Vulnerabilities in these devices used to treat kidney ailments and various other issues include cleartext transmission of sensitive information, improper authentication and use of hard-coded passwords. Exploitation would enable an attacker with network access to view and alter sensitive data. Baxter says mitigation steps include limiting physical access to the device to only authorized users and providing training for personnel granted elevated privileges on the device.
Baxter did not immediately respond to an Information Security Media Group request for comment on the product alerts.
BD Product Alert
The DHS alert pertaining to certain versions of the BD Alaris PCU infusion pump system, notes Franklin Lakes, NJ-based BD notified the agency about a third-party Linux kernel vulnerability involving uncontrolled resource consumption.
"Successful exploitation of this vulnerability could allow an attacker to cause a DDoS on the target system and could cause the BD Alaris PCU to disconnect from the facility's wireless network," the alert warns.
"Wireless functionality operates independently from the pump system, and a disruption in wireless connectivity would not affect pump module functionality," the alert notes. "Exploiting this vulnerability would not provide administrative access to the BD Alaris PC Unit or the BD Alaris Systems Manager. An unauthorized user would not be able to gain permissions or be able to perform remote commands for the BD Alaris PC Unit."
The advisory notes that BD recommends several steps to help reduce the risks associated with this third-party vulnerability. Those measures include considering stronger network controls for wireless authentication and using intrusion detection systems to monitor wireless networks with patient connected devices for possible malicious activity.
BD has also issued its own advisory that includes more detailed mitigation steps to address the issues.
"Third-party vulnerability disclosures are an essential component of our approach to transparency and enable customers to understand if and how third-party vulnerabilities may affect BD products so they can properly manage a potential risk," the company says in a statement provided to Information Security Media Group.
"In the spirit of collaboration, BD voluntarily reports third-party [discovered] vulnerabilities to the U.S. Food and Drug Administration and information sharing and analysis organizations such as the U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team and the Health Information Sharing and Analysis Center," the company says.
DHS says vulnerabilities identified in certain versions the Biotronick CardioMessenger II device were reported to the agency by independent researchers. The product is a home monitoring unit for patients with certain cardiac devices.
The vulnerabilities include improper authentication, cleartext transmission of sensitive information, missing encryption of sensitive data and storing passwords in a recoverable format.
"Successful exploitation of these vulnerabilities could allow an attacker with physical access to the CardioMessenger to obtain sensitive data, obtain transmitted medical data from implanted cardiac devices with the implant's serial number or impact Cardio Messenger II product functionality," the alert notes. "Successful exploitation of these vulnerabilities could allow an attacker with adjacent access to influence communications between the home monitoring unit and the access point name gateway network."
DHS says Biotronik has identified compensating controls that have been put place to reduce the risk of exploitation and prevent patient safety risks. The company also recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, including maintaining physical control over home monitoring units.
In a statement provided to ISMG, Biotronik, headquartered in Berlin, Germany, says, "In October 2019, researchers at SINTEF [a research firm in Trondheim, Norway], provided a report to Biotronik describing potential cybersecurity concerns associated with CardioMessenger II devices which are no longer available on the market. We would like to reassure patients, healthcare providers and physicians that these devices are safe and can continue to be used as intended. It is also important to note that there have been no cyberattacks or privacy breaches related to CardioMessenger."
These cybersecurity alerts from DHS come on heels of DHS and cybersecurity consultancy JSOF on Tuesday announcing the discovery of 19 so-called "Ripple20" vulnerabilities in TCP/IP software from vendor, Treck. That software is used in certain medical devices, such as infusion pumps (see Ripple20 Flaws in Medical Devices: The Risks).
Experts say the flurry of cybersecurity advisories this week pertaining to medical devices illustrates the challenges involved in protecting these endpoints.
"There is no question that the current state of medical device security needs more attention and that keeping up will be an ongoing challenge for manufacturers and healthcare providers and patients who use IoT devices."
—Bill Aerts, Archimedes Center for Medical Device Security
"Medical device security has been an Achilles' heel for healthcare providers as these types of devices were not inherently developed with cybersecurity in mind," says Matt Sadler, senior security manager at consultancy LBMC Healthcare Information Security.
"While it is encouraging that we see manufacturers and other vendors becoming more proactive with assessing the security posture of their products and voluntarily notifying the industry and regulators of security vulnerabilities, we still have a long way to go."
Increasingly, device manufacturers are developing processes and procedures to monitor and test the security of their products and then share updates about vulnerabilities, says Bill Aerts, executive director of Archimedes Center for Medical Device Security at the University of Michigan.
"There is no question that the current state of medical device security needs more attention and that keeping up will be an ongoing challenge for manufacturers and healthcare providers and patients who use IoT devices," he says.
"The industry has made significant progress in the last five years, but the target is changing and growing constantly, and it's a real challenge to address every possible security weakness."