Philips, BD Yet Again Issue Medical Device Security AlertsExperts Say Companies Offer Good Examples of Transparency
Philips and Becton Dickinson have each issued multiple alerts this year regarding cybersecurity vulnerabilities in some of their medical devices. Some security experts say the two companies' transparency about cybersecurity issues - including new alerts issued last week - should be emulated by other manufacturers.
The latest Philips alert issued on Aug. 21 deals with "resource exhaustion" flaws that put certain central patient monitoring systems at risk for denial-of-service attacks. The BD alert issued on Aug. 23 deals with authentication issues involving certain medical syringe pumps that are sold and used outside the U.S.
Philips and BD have been more transparent than some other device manufacturers about cyber vulnerabilities, some experts say. And they hope other companies will follow their lead.
"BD responded quickly and professionally, illustrating an excellent example of how a vendor should address security issues," says researcher Elad Luz of the security firm CyberMDX, the researcher who identified the security issue that's the subject of BD's latest alert.
Ben Ransford, CEO of healthcare cybersecurity firm Virta Labs, adds: "I'm happy Philips has a well-functioning disclosure program. ... Philips deserve a lot of credit for leading by example."
The healthcare sector worldwide is facing tough challenges with the cybersecurity of medical devices, especially for older products, Luz says.
"Hospitals face a big challenge of interoperability; they have a variety of products from different vendors, [that] all need to be connected and be part of the hospital's workflow," Luz tells Information Security Media Group.
"Once this complicated integration is complete, hospitals tend to avoid making changes - whether it's upgrading machines, protocols, databases or software. Some integrations of different devices are dependent on each other and require multiple adaptations. And this is before we talk about the financial considerations of upgrading."
Healthcare providers must take note that one of the weakest links within their clinical networks are their most critical assets: their connected medical devices, Luz says.
"Even more shocking is that hospitals often lack the visibility to determine whether a medical device has been hacked," he says. As medical devices introduce a wide range of operating systems and communication protocols, it is imperative that hospitals deploy technology solutions that grant them not only visibility in the operational status of the devices, but also helps detect and prevent a cyberattack."
The Latest Philips Alert
Philips' latest alert involves the company's IntelliVue Information Center iX Versions B.02., a central patient monitoring system that's sold worldwide.
The "resource exhaustion" or "uncontrolled resource consumption" vulnerability that was identified by a user of the Philips products may result in a denial-of-service attack, if exploited, notes Industrial Control Systems Cyber Emergency Response Team , part of the Department of Homeland Security, in a separate advisory on the devices.
"An attacker may compromise the device's availability by performing multiple initial UDP requests," ICS-CERT notes. If the vulnerability is exploited, "the operating system will become unresponsive due to the network attack, which will affect the applications ability to meet the intended use," ICS-CERT says in its advisory.
In its own advisory about the problem, Philips notes that the vulnerability is remotely exploitable. "However, a high skill level by an attacker is required for successful exploitation. At this time, Philips has received no reports of exploitation of this vulnerability that impacts clinical use that we have been able to associate with this problem."
Philips notes that it has put in place mitigations to reduce the risk of exploitation of this vulnerability. To mitigate exposure to these vulnerabilities, Philips recommends following the device's labeling, including the "instructions for use" and "service guide," which provide compensating controls to mitigate these vulnerabilities.
Philips also will be providing remediation in the form of a patch in September for all customers using the impacted products.
The BD medical devices highlighted in its latest alert are certain versions of the company's Alaris Plus Syringe Pumps sold and used outside the U.S.
The improper authentication vulnerabilities identified in the BD pumps impact software version 2.3.6 and below of Alaris GS, GH, CC and TIVA models, the company says.
BD notes in its advisory: "If exploited, this vulnerability may allow an attacker to gain remote access to devices when connected to a terminal server via the serial port. This potential vulnerability does not affect the Alaris Syringe Module sold in the U.S."
BD points out in its alert: "To execute this attack, one would need to ensure the affected device is connected to a terminal server via the serial port, have an understanding of the device communication protocol, have access to specific driver software to implement the pump protocol communication and the ability to penetrate a customer network and gain unauthorized access to terminal server devices. This vulnerability cannot be performed if the device is connected to an Alaris Gateway Workstation docking station. No protected health information or personally identifiable information can be accessed by executing this vulnerability."
BD notes that there have been no reports of this vulnerability being exploited. The company recommends mitigations and compensating controls to reduce risk associated with this vulnerability, including, for example, operating these devices in a segmented network environment or on a stand-alone basis.
A BD spokesman says that while the impacted products aren't used in the U.S., the company voluntarily reported the issues - identified by Luz of CyberMDX - to the information sharing and analysis organizations in which BD participates, including DHS' ICS-CERT and the National Health Information Sharing and Analysis Center. "Notifications from ICS-CERT also gets sent to international CERT organizations, which is one of the reasons we contacted them in the first place," he adds.
Ransford of Virta Labs notes that the BD vulnerability involving "out-of-spec connectivity" highlights a factor that makes designing for cybersecurity in healthcare so difficult.
"We don't always get to choose how people use the things we make."
—Ben Ransford, Virta Labs
"We don't always get to choose how people use the things we make," he says. "Leave a familiar-looking port open, and someone with a job function other than security will plug something into it. People connect electronics together because they've been conditioned to believe that more connectivity is always better."
In May, BD and ICS-CERT issued advisories concerning certain BD medication and supply management products that are vulnerable to flaws identified last year in the WPA2 protocol, putting the products at risk for so-called KRACK attacks. Such attacks can potentially lead to malware infections, the alerts warned (see Certain Becton Dickinson Products at Risk for KRACK Flaw).
Earlier this month, Philips and ICS-CERT issued advisories concerning "improper privilege management" and "unquoted search path or element" vulnerabilities that pose risks in certain versions of Philips' IntelliSpace Cardiovascular cardiac image and information management software. In addition to those alerts, DHS and Philips also each issued alerts about vulnerabilities in certain Philips PageWriter Cardiographs products, which are used for diagnostic electrocardiogram testing. (See Cyber Warnings About Certain Philips Medical Devices).
Medical device cybersecurity issues are an international problem. There's a global market for medical devices, with specialized products sold outside the U.S., Ransford notes.
"Another challenge to securing healthcare environments is that most countries in the world, including the U.S., have robust secondary markets where devices are sold at steep discounts," he adds. "There's a huge benefit to making devices more accessible, but it means vulnerable devices stay in circulation for a long time."