Medical Device Vulnerabilities, Safety: DHS Highlights Security Exploits In Medical Scanners

Industrial Control System Computer Emergency Response Team (ICS-CERT) has issued an alert about a number of security vulnerabilities in popular CT and PET Scanners produced by Siemens.

ICS-CERT, a part of the United States Department of Homeland Security (DHS), highlighted four vulnerabilities in multiple medical molecular imaging systems from German medical device manufacturer Siemens. The agency warned “an attacker with a low skill would be able to exploit these vulnerabilities.”

Read: WannaCry Ransomware Attack: Medical Devices Vulnerable To Exploit

Siemens also took steps to inform its customers of the vulnerabilities, issuing a customer alert on July 26. In the alert, the manufacturer rated the vulnerabilities as highly critical, scoring them as a 9.8 out of 10 on the Common Vulnerability Scoring System—an industry standard for assessing the severity of computer system security vulnerabilities.

The exploits affect a number of Siemens systems, including the Siemens CT, PET, and SPECT scanners and medical imaging workflow products. All of the vulnerabilities related to machines that run on the Windows 7 operating system.

One of the vulnerabilities stems from the Windows web server built into the systems. Siemens warned an unauthenticated attacker could remotely execute malicious code on the server. The web server also allows for code injection onto connected devices, putting other machines at risk.

The other three vulnerabilities highlighted in the alert stem from the HP Client Automation Service software used to remotely manage software used on the systems. The software allows for the remote injection of code and could be exploited using a buffer overflow—an attack where a malicious actor overwhelms a system’s temporary memory to overwrite critical information.

Another remote attack that could be carried out through the HP Client Automation Service software would allow an attacker to bypass typical access controls and grant administrative privileges to the attacker.

Read: NHS England Cyberattack: Hospitals Throughout UK Hit By Ransomware

Siemens reported that it is working on updates for the affected systems. In the meantime, it has advised customers to minimize the network exposure of the machines to keep them segmented from the internet as much as possible. The company also advised keeping medical devices behind firewalls and using virtual private networks (VPNs) to connect remotely to devices.

While hospitals often rely on a significant amount of electronic equipment and connected systems to operate, most do not have dedicated staff to enforce basic security practices. A recent report by the Department of Health and Human Services' Health Care Industry Cybersecurity Task Force found the majority of health organizations “lack full-time, qualified security personnel."

The warning issued by ICS-CERT and Siemens is just the latest security vulnerability to be discovered in medical devices. Earlier this year, MRI machines produced by Siemens and CT, MRI and PET scanners from a number of other manufacturers were found to be vulnerable to the WannaCry ransomware attack.

The same attack, which began spreading in May and hit more than one million computer systems in 150 countries, left dozens of National Health Services (NHS) hospitals throughout the United Kingdom unable to operate.