DHS Issues More Medical Device Cybersecurity AlertsWhy Are Such Warnings Becoming More Common?
The Department of Homeland Security has yet again issued a warning about cybersecurity vulnerabilities in medical devices. These warnings have come after independent researchers, or the companies themselves, have reported the problems.
See Also: Threat Intelligence - Hype or Hope?
The two latest alerts from DHS's Industrial Control Systems Emergency Response Team warn of the risk that flaws could be exploited by attackers to obtain unauthorized access to systems or to modify settings. They deal with vulnerabilities in some wireless electrocardiogram products from Silex Technologies and GE Healthcare, and vulnerabilities in certain computed tomography, or CT, systems from Philips.
Among the agency's other warnings earlier this year was one about other GE Healthcare products (see DHS: Some GE Imaging Devices Are Vulnerable).
Silex/GE Healthcare Vulnerabilities
ICS-CERT's May 8 advisory deals with wireless medical device technology from GE Healthcare and Silex Technology. Some of the affected Silex technology is integrated into various GE's MobileLink wireless electrocardiogram products. Impacted equipment from the vendors include various versions in the SX-500, SD-320AN, and MobileLink product lines.
ICS-CERT notes that vulnerabilities in the GE and Silex products involve improper authentication and operating systems command injection that if successfully exploited, could allow modification of system settings and remote code execution.
The advisory notes that researcher Eric Evenchick of the security firm Atredis Partners reported these vulnerabilities to Silex and GE and tested pre-release firmware and other mitigations from the vendors to confirm they resolved the vulnerabilities.
The mitigation offered by Silex and GE includes firmware updates. But in addition, ICS-CERT recommends users take other defensive measures to minimize the risk of exploitation of these vulnerabilities. That includes:
- Minimizing network exposure for all control system devices and/or systems, and ensuring that they are not accessible from the Internet;
- Locating control system networks and remote devices behind firewalls and isolating them from the business network;
- Using secure methods for remote access, such as virtual private networks.
In a statement provided to Information Security Media Group, GE Healthcare says it is aware of the recent ICS-CERT advisory, "which notes that a researcher has discovered two security vulnerabilities within a Silex wireless bridge used as an optional accessory in certain ECG products. These vulnerabilities are specific to the bridge and the wireless connectivity provided via the bridge, and do not directly affect the GE Healthcare devices. We are working closely with customers to implement best practices for security and supporting requests for assistance."
A GE Healthcare spokeswoman adds: "There is no known exploit of a bridge used with one of our devices at this time."
Affected Philips Product
A May 3 advisory from ICS-CERT pertaining to certain Philips Brilliance CT Scanners notes that the vulnerabilities were reported to DHS by Philips.
Those vulnerabilities involve "execution with unnecessary privileges," exposure of resource to a wrong control "sphere" and use of hard-coded credentials.
DHS notes that successful exploitation of these vulnerabilities may allow an attacker to attain elevated privileges and access unauthorized system resources, including access to execute software or to view/update files including patients' protected health information, directories or system configuration.
"This could impact system confidentiality, system integrity, or system availability," ICS-CERT notes. Philips has received no reports of exploitation or incidents from clinical associated with these vulnerabilities, the agency adds.
Philips Brilliance CT devices operate user functions from within a contained kiosk in a Microsoft Windows operating system, ICS-CERT writes. "Windows boots by default with elevated Windows privileges, enabling a kiosk application, user, or an attacker to potentially attain unauthorized elevated privileges. Also, attackers may gain access to unauthorized resources from the underlying Windows operating system," the agency says.
Additionally, vulnerabilities within the Brilliance CT kiosk environment could enable a limited-access kiosk user or an unauthorized attacker to break-out from the containment of the kiosk environment, attain elevated privileges from the underlying Windows OS, and access unauthorized resources from the operating system, ICS-CERT says in the advisory.
The advisory also notes that the Brilliance CT software contains fixed credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components or encryption of internal data. "An attacker could compromise these credentials and gain access to the system," the agency says.
Philips is providing mitigation steps and guidance to address the vulnerabilities. That includes Philips having remediated hard-coded credential vulnerabilities for all Brilliance iCT 4.x and above versions.
The company also recommends that customers implement "a comprehensive, multilayered strategy to protect their systems from internal and external security threats, including restricting physical access of the scanner to only authorized personnel, thus reducing the risk of physical access being compromised by an unauthorized user."
The new ICS-CERT alerts are the latest in a series of warnings issued in recent months concerning cybersecurity problems involving medical equipment.
One of those earlier advisories involved hardcoded and default passwords in other GE Healthcare products. A March ICS-CERT alert warned of vulnerabilities in certain medical imaging product lines from GE Healthcare that could potentially allow a remote attacker to bypass authentication and gain access to the affected devices.
In addition, ICS-CERT earlier this month issued an advisory concerning vulnerabilities reported to the agency by Becton Dickinson related to "KRACK" flaws affecting some versions of the vendor's Pyxis medication and supply management products.
Striking a Balance?
Some security experts expect that cybersecurity-related alerts pertaining to medical devices will likely become more frequent as awareness of the issues improves.
In many instances, independent researchers have identified and reported the problems they've discovered in medical devices, which appears to be the case in the recent Silex/GE Healthcare related alert.
But increasingly - as in the Philips alert - vendors are reporting vulnerabilities in their products to regulators.
"One of these [most recent] advisories represents a manufacturer self-reporting, which represents exactly the kind of omphaloskepsis we researchers have been encouraging for years, says Ben Ransford, co-founder and CEO of Virta Labs, a healthcare cybersecurity firm. "Absolutely every stakeholder benefits when manufacturers report their own vulnerabilities.
"Medical device manufacturers have to strike a delicate balance as they catch up with cybersecurity best practices. If they report lots of critical issues, they'll look buggy; but if they report too few, it will look like they're underreporting."
Ransford urges manufacturers to be "forthcoming when they discover flaws."