Researchers Identify Software Flaws That Make Medical Devices Hacker-friendly

Researchers identify software flaws that make medical devices hacker-friendly

More than a dozen vulnerabilities in software used in medical devices and other industries were discovered by researchers, who believe that if exploited by a hacker, they could cause critical equipment such as patient monitors to malfunction.

Hospitals and other facilities have struggled to keep sensitive software up to date as the resource-draining coronavirus pandemic has continued, according to the research, which was shared exclusively with CNN. Also demonstrated is how federal agencies are collaborating with researchers to investigate cybersecurity flaws that could endanger patient safety.

According to cybersecurity firms Forescout Technologies and Medigate, which discovered the problem, the vulnerable software is installed on nearly 4,000 devices manufactured by a variety of vendors in the health care, government, and retail sectors.

According to Forescout, there is no evidence that malicious hackers took advantage of the software flaws — and, in some cases, doing so would necessitate prior access to computer networks. Siemens, the industrial company that owns the software, has released updates that address the flaws. Read on for more information.

Siemens worked in collaboration with federal officials and researchers to identify and assess the vulnerabilities, which were then patched through software updates.

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) is reportedly planning to issue an advisory on Tuesday advising users to update their systems in light of the report, according to researchers.

According to Dr. Kevin Fu, acting director of medical device cybersecurity at the FDA's Center for Devices and Radiological Health, "it is critical for medical device manufacturers to have a mechanism in place to quickly determine whether their devices have been compromised."

According to CISA Deputy Executive Assistant Director for Cybersecurity Matt Hartman, "we immediately began working with our partners across all potentially affected critical infrastructure sectors, including the health care sector, to notify potentially vulnerable vendors of the vulnerability and provide guidance on how to remediate it," following the discovery of the vulnerabilities.

Several versions of Siemens' Nucleus Real-time Operating System, a suite of software for managing data across mission-critical networks, have been found to be vulnerable to the flaw.

According to Fu, the vulnerabilities could affect a wide range of medical devices, depending on the software version and whether or not the device is connected to the internet at the time of disclosure. According to the findings of the study, the software flaw could have an impact on certain anesthesia, ultrasound, and x-ray equipment.

Forescout researchers conducted a lab test of the software flaws in order to determine their severity. According to the research report, they sent malicious commands to a building automation system used in hospitals, causing it to go offline and shutting down the lights and HVAC system in a mock hospital room. They were successful in their mission. For this to work in practice, the hacker would need to be already connected to the local hospital network, or the building automation device would need to be already connected to the internet.

At the time, Elisa Costante was vice president of research at Forescout Technologies, and she told CNN that her research team wanted to emphasize the importance of thoroughly examining aging software used in critical industries for security flaws in order to prevent future attacks.

"Our intelligent world is based on legacy software," Costante explained, adding that legacy software is frequently more difficult to maintain.

The researcher went on to say that she had no evidence of this being used [in the wild] by hackers at this time. "But do we really need to wait for something catastrophic to happen before we raise awareness about the vulnerabilities]?" says the author.

During the past few years, the FDA has increased its investment in cybersecurity in an effort to address concerns about the risks associated with the digitization of health-care delivery. Researchers demonstrated how a hacker could alter the settings of a specific insulin pump in June 2019, prompting the FDA to advise patients to stop using the pump.