Medical Device Cybersecurity: 3 Alerts IssuedU.S. CERT, a Unit of CISA, Warns of Vulnerabilities That Need Mitigation
Federal regulators have recently issued three advisories on cybersecurity vulnerabilities identified in medical devices. Some experts say the spotlighted flaws are issues commonly found in legacy medical devices as well as other IT products.
The advisories from the U.S Computer Emergency Response Team, or U.S. CERT, a unit of the recently launched Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security, address the following issues:
A “session fixation” vulnerability. This is in certain versions of the BD Pyxis medication management platform from Becton Dickinson.
Existing access privileges are not restricted in coordination with the expiration of access based on Active Directory user account changes when the device is joined to an Active Directory domain. Successful exploitation of this vulnerability could allow the AD credentials of a previously authenticated user to be used to gain access to the device, patient data and medications.
For exploitation to occur, products must be actively using AD for login and be connected to the hospital domain. Users who do not use AD are not impacted by this vulnerability.
A “use of obsolete function” vulnerability. This vulnerability occurs in the Philips HDI 4000 Ultrasound system if it runs an outdated and unsupported operating system, such as Windows 2000. The vulnerability could allow an unauthorized user to access ultrasound images or compromise image integrity.
“An "incorrect default permissions” vulnerability. This is found in some cardiology products from Change Healthcare, which was created in 2016 when McKesson Corp.’s information technology unit merged with Change Healthcare Holdings.
The vulnerability affects Horizon Cardiology 11.x and earlier, Horizon Cardiology 12.x, McKesson Cardiology 13.x, McKesson Cardiology 14.x and Change Healthcare Cardiology 14.1.x. Insecure file permissions in the default installation could enable an attacker with local system access to execute unauthorized arbitrary code.
Legacy Device Woes
”These vulnerabilities are extremely common for legacy products because of the nature of medical devices,” says Clyde Hewitt, executive adviser at the security consulting firm CynergisTek.
For instance, many medical devices have not been designed with security in mind, he says. On top of that, because medical devices are expensive and generally considered to be a capital equipment purchase for most healthcare providers, the life expectancy of those products often surpasses the length of support provided by the manufacturer for the equipment’s software, he adds.
Making matters worse, security patching is rarely done for medical devices on an ongoing basis, he notes. All of these factors “present a high-level of risk with devices that do not have active technical vulnerabilities routinely identified and remediated and have little to no security support over their lifetime of 15-plus years.”
In a statement, BD says it is not aware of any instances in which patient data was viewed without authorization as a result of the vulnerability in BD Pyxis.
“While this vulnerability has been remediated in the latest software release, 126.96.36.199, BD recommends … mitigations and compensating controls in order to reduce risk associated with this vulnerability,” the company says. Those steps include:
- Removing expired users from the relevant Active Directory role that grants access to the BD Pyxis ES system;
- Not placing the BD Pyxis ES systems on the hospital domain;
- Avoid relying on expiration dates to remove users from their hospitals' Active Directory system.
BD has created a remediation that removes accessibility to the SMB network share, the manufacturer adds.
U.S. CERT notes that he BD Pyxs vulnerability takes only a low skill level to exploit.
Philips says it has not received any reports of exploitation of the vulnerabilities in its ultrasound devices or incidents from clinical use.
“This issue does not affect patient safety, system operations or availability,” Philips says. The company, which says it reported the vulnerability to DHS, recommends that users implement controls to limit access to the network and consider replacing affected ultrasound devices with newer technology that has a supported operating system.
U.S. CERT notes about the Philips vulnerability: “Public exploits are available/exploitable from within the same local subnet.”
Change Healthcare Product Issue
In a statement provided to Information Security Media Group, Change Healthcare says that to address the vulnerability in its cardiology products, the company is requesting that affected customers contact it to obtain a software remediation patch as well as configuration change instructions.
“Although Change Healthcare is not aware of any specific security incidents related to this vulnerability, which requires local system access to clients, the patch and configuration change strengthens cybersecurity in affected products and mitigates the potential exploitability of this vulnerability,” the statement says.
The U.S. CERT advisory notes that the Change Healthcare product vulnerability, which takes a low level of skill to exploit, was identified by two third-party researchers.
Former healthcare CISO Mark Johnson, a consultant at LBMC Information Security, says the types of vulnerabilities described in U.S. CERT’s alerts are common.
“Are they more common than other computer or applications? Maybe not,” he says. “Looking for vulnerabilities in systems and applications is not easy. Looking at medical devices is a relatively new area for vulnerability hunters. As more hunters look at medical devices, I expect we’ll continue to see more of these alerts.”
The most concerning alert, Johnson says, is about the Philips ultrasound product’s issue related to outdated operating systems.
”All systems and applications come to an end of life. This is problem for all computers and applications, not just medical devices,” Johnson notes. “Over the past several months, we have been working with several clients that are dealing with the end of life for Microsoft’s OS Windows 7 coming at the end of this year.”
Exacerbating the medical devices problem is that, compared with most other computer products, medical devices are generally more expensive and therefore tend to be used for much longer. “There will not be patches or fixes coming from the vendor in the future. You’re on your own,” he says.
Hewitt has similar concerns about the Philips device vulnerability.
”The ultrasound vulnerability is a serious issue because it cannot be patched or remediated due to the unsupported software the equipment is running,” he says. “And any of the previous vulnerabilities - which could be any of the many different technical vulnerabilities that have been identified on these types of imaging equipment previously - will remain active on the devices because they are not being appropriately addressed due to no fault of the clinical engineer or IT/security team but simply because there is no method of remediation without a software upgrade or security patch.”
Compensating controls can be applied for this type of equipment, including a secure network management strategy, Hewitt says. “This is not a substitute for remediation and should only be used as a short-term solution until remediation can be applied – which, in this case. is going to be nearly impossible unless the software manufacturer releases a patch or update for the unsupported operating system, which is highly unlikely,” he adds.
The other two vulnerabilities involving the BD and Change Healthcare products are related to managing the access controls, Hewitt notes.
Security patches or upgrades to the software can be applied to these types of devices on an ongoing basis by the team supporting this equipment, he points out.
Johnson notes that in the alerts about the Change Healthcare and BD product vulnerabilities, U.S. CERT advises that users “minimize network exposure for all medical devices and/or systems.” He adds: “This is what we are telling our clients and what I have been saying for a while now. Segment your environment and protect these systems. All healthcare CIOs and CISOs need to now begin the hard work of segmenting their environments.”