What to Do with Critical Medical Device Vulnerabilities

Secure your business with CyberHoot Today!!! Sign Up Now An analysis of data from more than 200,000 network-connected infusion pumps used in hospitals and healthcare entities has revealed that 75% ...

What to Do with Critical Medical Device Vulnerabilities

Secure your business with CyberHoot Today!!!

An analysis of data from more than 200,000 network-connected infusion pumps used in hospitals and healthcare entities has revealed that 75% of those medical devices contain security weaknesses that could put them at risk of potential exploitation. The threats included exposure to at least one of 40 known cybersecurity vulnerabilities. For those who may not know, infusion pumps are the IV systems that deliver fluids, medications, and nutrients to patients. 

The Threats and Vulnerabilities

The Palo Alto Networks threat intelligence team said it obtained the scans from seven medical device manufacturers. On top of that, 52.11% of all infusion pumps scanned were susceptible to two known vulnerabilities that were disclosed in 2019 as part of 11 flaws collectively called “URGENT/11“: 

  • CVE-2019-12255 (CVSS score: 9.8) – A buffer overflow flaw in the TCP component of Wind River VxWorks.
  • CVE-2019-12264 (CVSS score: 7.1) – An issue with incorrect access control in the Dynamic Host Control Protocol (DHCP) client component of Wind River VxWorks.

Other important flaws impacting infusion pumps are listed below:

  • CVE-2016-9355 (CVSS score: 5.3) – An unauthorized user with physical access to an Alaris 8015 Point of Care unit may be able to disassemble the device to access the removable flash memory, allowing read-and-write access to device memory
  • CVE-2016-8375 (CVSS score: 4.9) – A credential management error in Alaris 8015 Point of Care units that could be exploited to gain unencrypted wireless network authentication credentials and other sensitive technical data
  • CVE-2020-25165 (CVSS score: 7.5) – An improper session authentication vulnerability in Alaris 8015 Point of Care units that could be abused to perform a denial-of-service attack on the devices
  • CVE-2020-12040 (CVSS score: 9.8) – Cleartext transmission of sensitive information in Sigma Spectrum Infusion System
  • CVE-2020-12047 (CVSS score: 9.8) – Use of hard-coded FTP credentials in Baxter Spectrum WBM
  • CVE-2020-12045 (CVSS score: 9.8) – Use of hard-coded Telnet credentials in Baxter Spectrum WBM
  • CVE-2020-12043 (CVSS score: 9.8) – Baxter Spectrum WBM FTP service remains operational after its expected expiry time until it’s rebooted
  • CVE-2020-12041 (CVSS score: 9.8) – Baxter Spectrum Wireless Battery Module (WBM) permits data transmission and command-line interfaces over Telnet

It doesn’t stop here with the vulnerabilities. Believe it or not, 2 years later in Nov. 2021 Forescout completed a different project examining medical devices (not infusion pumps) and identified 13 new TCP/IP vulnerabilities in medical devices calling this research project the Nucleus:13. Do we not learn from history? It’s more likely that manufacturers and hospitals simply ignore these risks.

What Does This Mean?

Successful exploitation of these vulnerabilities could result in leakage of sensitive patient information and allow an attacker to gain unauthorized access to medical devices like infusion pumps. In 2021, McAfee disclosed security vulnerabilities affecting B. Braun’s ‘Infusomat Space Large Volume Pump’ and ‘SpaceStation’ that could be abused by malicious parties to tamper with medication doses without any prior authentication.

Essentially, these unpatched or unsupported systems are open to being exploited by hackers. If they can control the infusion pumps, they can control a patient’s fate by changing the amount of medication being delivered into their bloodstream, or preventing them from receiving fluids. In theory, hackers could kill patients remotely through overdosing or restricting life-saving medications.

If you’re an SMB working in Healthcare, this next section will provide you with ideas on how to mitigate and minimize the risks you face to your medical devices and patients. If you’re not operating in Healthcare, skip to the “additional cybersecurity recommendations” section below.

What Should Hospitals and Healthcare Entities Be Doing?

The discovery by researchers shows how critically vulnerable certain aspects of the healthcare industry are. With the results of these attacks potentially being deadly, it’s vital healthcare facilities are doing everything they can do to prevent attacks on these systems and healthcare-related systems not mentioned. 

There are six main areas of risk to medical devices today.

  1. Legacy Devices and Operating Systems (OS): medical devices are like computers. Vendors stop supporting old equipment and expect hospitals to upgrade to new equipment and new OS’ on a time scale. Hospitals need to track unsupported equipment and OS’ and replace them on a schedule.
  2. Patching: using the computer analogy, even supported medical devices need fixing and patching during their lifespan. Make sure you have a Vulnerability Alert Management Process (VAMP) in place, to make clear decisions on when to jump on a patch for a given vulnerability or exposure.
  3. External Communications Exposure: medical devices communicate over TCP/IP networks. As shown by security researchers, first Palo Alto networks, then 2 years later by Forescount, vulnerabilities in these old TCP/IP stacks are rampant and must be examined, tested, and patched. Limiting your external network and communications exposure to prevent attacks on your medical devices is a must.
  4. Insecure and Unencrypted Protocols: When you mail a letter, you seal it so that everyone in between can’t read your message. That’s what encryption provides in protocols that manage devices. A command issued by a Doctor, cannot be tampered with and changed when it travels over encrypted secure protocols. Trouble is, some medical devices talk with unsealed envelopes, allowing hackers to modify the requests along the way. Imagine changing the dosage of morphine for a patient from 5mg to 50 mg. Death would be swift, but painless.
  5. Default, Weak, Hardcoded Passwords: CyberHoot has written about the Internet of Things and weaknesses in passwords to manage them. Medical devices are IoT devices and often contain poor password hygiene. Device manufacturers need to learn from Wi-Fi device makers and imprint unique strong passwords on each device instead of default, weak, and reused passwords.
  6. Effective Segmentation: Finally, hospitals would be wise to segment their medical device networks from all other traffic. There’s no reason someone reading an email on a hospital computer who gets infected by Malware from a phishing attack, should then have access to a medical device network. Segment everything and protect yourself. Think of a submarine vs. the Titanic and you’ll understand network segmentation instantly.

Additional Cybersecurity Recommendations

Additionally, these recommendations below will help you and your business stay secure with the various threats you may face on a day-to-day basis. All of the suggestions listed below can be gained by hiring CyberHoot’s vCISO Program development services.

  1. Govern employees with policies and procedures. You need a password policy, an acceptable use policy, an information handling policy, and a written information security program (WISP) at a minimum.
  2. Train employees on how to spot and avoid phishing attacks. Adopt a Learning Management system like CyberHoot to teach employees the skills they need to be more confident, productive, and secure.
  3. Test employees with Phishing attacks to practice. CyberHoot’s Phish testing allows businesses to test employees with believable phishing attacks and put those that fail into remedial phish training.
  4. Deploy critical cybersecurity technology including two-factor authentication on all critical accounts. Enable email SPAM filtering, validate backups, deploy DNS protection, antivirus, and anti-malware on all your endpoints.
  5. In the modern Work-from-Home era, make sure you’re managing personal devices connecting to your network by validating their security (patching, antivirus, DNS protections, etc) or prohibiting their use entirely.
  6. If you haven’t had a risk assessment by a 3rd party in the last 2 years, you should have one now. Establishing a risk management framework in your organization is critical to addressing your most egregious risks with your finite time and money.
  7. Buy Cyber-Insurance to protect you in a catastrophic failure situation. Cyber-Insurance is no different than Car, Fire, Flood, or Life insurance. It’s there when you need it most.

All of these recommendations are built into CyberHoot the product or CyberHoot’s vCISO Services. With CyberHoot you can govern, train, assess, and test your employees. Visit CyberHoot.com and sign up for our services today. At the very least continue to learn by enrolling in our monthly Cybersecurity newsletters to stay on top of current cybersecurity updates.

To Learn More, Watch This Ted Talk on Medical Device Connectivity and Risks: