Medical Device Cybersecurity: 3 Alerts Issued

Federal regulators have recently issued three advisories on cybersecurity vulnerabilities identified in medical devices. Some experts say the spotlighted flaws are issues commonly found in legacy medical devices as well as other IT products.

See Also: The Application Security Team’s Framework For Upgrading Legacy Applications

The advisories from the U.S Computer Emergency Response Team, or U.S. CERT, a unit of the recently launched Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security, address the following issues:

A “session fixation” vulnerability. This is in certain versions of the BD Pyxis medication management platform from Becton Dickinson.

Existing access privileges are not restricted in coordination with the expiration of access based on Active Directory user account changes when the device is joined to an Active Directory domain. Successful exploitation of this vulnerability could allow the AD credentials of a previously authenticated user to be used to gain access to the device, patient data and medications.

For exploitation to occur, products must be actively using AD for login and be connected to the hospital domain. Users who do not use AD are not impacted by this vulnerability.

A “use of obsolete function” vulnerability. This vulnerability occurs in the Philips HDI 4000 Ultrasound system if it runs an outdated and unsupported operating system, such as Windows 2000. The vulnerability could allow an unauthorized user to access ultrasound images or compromise image integrity.

“An “incorrect default permissions” vulnerability. This is found in some cardiology products from Change Healthcare, which was created in 2016 when McKesson Corp.’s information technology unit merged with Change Healthcare Holdings.

The vulnerability affects Horizon Cardiology 11.x and earlier, Horizon Cardiology 12.x, McKesson Cardiology 13.x, McKesson Cardiology 14.x and Change Healthcare Cardiology 14.1.x. Insecure file permissions in the default installation could enable an attacker with local system access to execute unauthorized arbitrary code.