Some Siemens Medical Imaging Devices Vulnerable to HackersDepartment of Homeland Security, Vendor Issue Warnings About Cyber Flaws
The Department of Homeland Security has issued an alert warning about cyber vulnerabilities in certain Siemens medical imaging products running Windows 7 that could enable hackers to "remotely execute arbitrary code."
While the company is downplaying the risk to patients, some security experts say the vulnerabilities could pave the way for malicious attacks, including ransomware attacks, if they are not patched.
The alert from DHS' Industrial Control Systems Cyber Emergency Response Team says Munich, Germany-based Siemens identified four vulnerabilities in the medical imaging products and is preparing patches.
"These vulnerabilities could be exploited remotely," DHS notes. "Exploits that target these vulnerabilities are known to be publicly available. Successful exploitation of these vulnerabilities may allow the attacker to remotely execute arbitrary code. Impact to individual organizations depends on many factors that are unique to each organization."
ICS-CERT recommends that healthcare organizations using the devices evaluate the impact of these vulnerabilities based on their operational environment and specific clinical usage.
Researcher Billy Rios, who specializes on medical device cybersecurity, says the warning is concerning in light of some recent cyberattacks impacting healthcare and other sectors.
"It's important to note that these vulnerabilities are two years old and involve third-party software. There are also known exploit codes available for the exploits," he says. "These are exactly the types of vulnerabilities targeted by ransomware."
The issues could potentially impact patients, he adds. "I'm not sure what the architecture of the systems are, but it's likely that these exploits can affect therapy."
The DHS alert follows a similar advisory Siemens posted on its website July 26, also noting that the company is preparing updates for the affected products and "recommends protecting network access to the molecular imaging products with appropriate mechanisms."
Siemens' alert advises users to run the affected devices in a dedicated network segment and protected IT environment. The company notes that if that measure cannot be implemented, it recommends:
- If patient safety and treatment is not at risk, disconnect the product from the network and use in standalone mode.
- Reconnect the product only after the provided patch or remediation is installed on the system.
"Siemens ... is able to patch systems capable of remote update handling much faster by remote software distribution compared to onsite visits," the company notes.
Those using devices with remote update handling capability "are recommended to clarify the situation concerning patch availability and remaining risk in the local customer network with the Siemens customer care center first and then to reconnect their systems in order to receive patches as fast as possible. ... This ensures smooth and fast receipt of updates and therefore supports reestablishment of system operations."
In addition, Siemens also recommends customers ensure that they have "appropriate backups and system restoration procedures." The company is also advising customers to contact their local Siemens support center for "specific patch and remediation guidance information."
A Siemens spokesman tells Information Security Media Group that the software updates will be available in August, but he did not specify a date.
Siemens says the vulnerabilities affect all Windows 7-based versions of these imaging products:
- Siemens PET/CT Systems;
- Siemens SPECT/CT Systems;
- Siemens SPECT Systems;
- Siemens SPECT Workplaces/Symbia.net.
The company notes that "an unauthenticated remote attacker could execute arbitrary code by sending a specially crafted request" to the affected devices.
But the spokesman told ISMG: "Based on the existing controls of the devices and use conditions, we believe the vulnerabilities do not result in any elevated patient risk."
One security expert, however, stresses that the potential risk to patients is genuine.
Mac McMillan, president of the security consultancy CynergisTek, says the vulnerabilities could allow malicious attacks, including those involving ransomware, to be waged against organizations. "The vulnerabilities discussed allow arbitrary remote code execution - meaning a malicious party could relatively easily make customized malware that can take advantage of these issues to spread internally," he says.
"Any time code can be executed on the network bad things can happen. Just the corruption of these imaging systems themselves and undermining the integrity of their output is a serious patient safety concern."
In a statement provided to Information Security Media Group, the Food and Drug Administration says healthcare providers should follow the recommendations outlined in the ICS-CERT advisory.
"This advisory is an example of a medical device manufacturer proactively implementing the recommendations outlined in the FDA's Final Guidance on Postmarket Management of Cybersecurity in Medical Devices," says Suzanne Schwartz, associate director of science and strategic partnerships at FDA's Center for Devices and Radiological Health.
"This vulnerability disclosure and coordinated communication with stakeholders across the healthcare and public health community models the initiative that we expect to see from all device manufacturers - one that is proactive, timely and transparent. In fact, as more manufacturers implement the guidance, we anticipate that coordinated vulnerability disclosure, as exemplified here, will become routine business practice for device manufacturers who are engaging in responsible cybersecurity management."
This currently occurs in other safety-critical, industrial-control sectors, where timeliness in identification, mitigation and transparency in communication is the norm, Schwartz notes.
"This proactive behavior demonstrates the collaborative manner in which vulnerabilities can - and should - be addressed in a way that best protects patients," she adds.
The alert from Siemens about its medical imaging products follows reports that during the WannaCry attacks, at least two unidentified U.S. hospitals reported that their imaging systems from German-based medical device manufacturer Bayer AG had been infected (see HHS Ramps Up Cyber Threat Information Sharing).
The problems with the Siemens and Bayer products appear to be similar, McMillan says.
"From the information provide thus far ... the Siemens products could be related to the same or very similar vulnerabilities that stem directly from the use of outdated operating systems."
The DHS advisory about the Siemens medical imaging cyber vulnerabilities also isn't the first time the DHS - or the FDA - has issued warnings about medical device security problems.
In 2015, FDA for the first time issued a warning urging healthcare organizations to discontinue the use of a family of infusion pumps by medical device maker Hospira due to cybersecurity issues (see FDA: Discontinue Use of Flawed Infusion Pumps). DHS also issued an advisory about the Hospira infusion pump cyber vulnerabilities.
Both the FDA and DHS also issued warnings in January about security vulnerabilities in certain cardiac devices made by St. Jude Medical, which was recently acquired by Abbott Laboratories (see 2 Agencies Issue Alerts on St. Jude Medical Cardiac Devices.)
"We are likely to see more of these types of alerts as US CERT and other threat analysis and alert centers become more aware of medical device vulnerabilities," McMillan says. With a proposed Senate bill aimed at bolstering medical device cybersecurity, "there is likely to be renewed interest in this issue," he adds (see Bill Proposes Bolstering Medical Device Cybersecurity).
In the meantime, McMillan suggests healthcare sector can take steps to improve the cybersecurity of medical devices.
"Device manufacturers should submit their products for independent assessment by a qualified lab or application security assessor first of all; implement more mature processes for product development that includes security tests; train coders on secure coding practices; adopt standards that require security functionality; and incorporate security into their technical support for customers," he advises.