DHS warns high-risk vulnerabilities in over 10 medical devices

The US Department of Homeland Security (DHS) warned in ICS-CERT advisory report released on March 13, 2018, that there are security holes in some specific medical imaging products under GE’s GE Healthcare, Optima. 540 Medical imaging systems and other GE medical imaging products may use default or hard-coded vouchers.

This warning states that “successfully exploiting this vulnerability could allow an attacker to remotely bypass the authentication mechanism and gain access to infected devices.”

Phil Curran, chief information assurance officer and chief privacy officer at Cooper University Health Care in Camden, New Jersey pointed out that “Depending on what function the user ID/password provides the code, the range goes from affecting how the device operates – a patient safety issue – to changing data – integrity – to complete shutdown to accessing patient information.”

What is hard coded?

In computer programs or text editing, there are only hard-coded and soft-coded methods. The difference is that soft coding can be determined and modified at runtime; hard coding cannot be changed. Hard coding is a method of replacing a variable with a fixed value. If you need to change this variable after hard coding, it is very difficult.

According to the survey results provided by the researchers, General Electric conducted a self-assessment and confirmed that some of the angiography products did use default or hard-coded vouchers. According to ICS-CERT, GE has reviewed the password security issues identified by researchers in the investigation report and advised users to contact official support services for password change guidance.

The equipment affected this time involves various products launched by GE Healthcare, including:

Optima, Discovery, Revolution, Centricity, THUNIS, eNTEGRA, CADStream, GEMNet, Infinia, Millenium, Precision MP/i, and Xeleris product families.

Products that are not affected by this vulnerability are the Optima 680, Revolution XQ/i, and THUNIS-800+ systems.

In the report, ICS-CERT pointed out that according to GE, the affected products have been widely deployed in the global medical industry, but some of the affected products listed here have been highlighted – such as the Optima 680, Image. The use of Vault 3.x and THUNIS-800+ in the United States and Canada is very limited and not even deployed.

In a statement to the media, GE Healthcare stated that it has learned that the recent ICS-CERT release of its advisory report contains updates to the previously published US-CERT announcement. The latter also mentions certain products. There is a problem with using the default credentials.

Medical equipment network security researcher Billy · Rios said in an interview, “Hardcoded passwords are a huge problem in healthcare cybersecurity.”

Rios and another researcher from security vendor Cylance, McCaw Terry families once discovered a few years ago, the medical devices from 40 vendors included 300 hard-coded passwords, these devices have been the United States Food The FDA has reviewed the existing problems and has been included in the pre-marketing rectification guidance list.

At the same time, ICS-CERT also issued a warning that emphasized the problem of hard-coded passwords for medical devices discovered by Rios and McCorkle. The FDA has also issued related drafts, recommending that manufacturers introduce cybersecurity considerations in the design and construction of their medical devices.

Rios said in an interview that we have observed that malicious software such as the Mirai botnet will use the default password in the device to invade it. In most cases, service technicians use these codes to repair medical equipment. In order to solve this problem, the hospital can use the research results and related data provided by Irvine to disable the interface related to the technology interface. If the device requires maintenance, the hospital can enable the technician interface during the repair process and disable the relevant interface after the repair is completed.

ICS-CERT also mentioned in its published GE Medical Device Consultation Report that the manufacturer has released product updates that can be delivered on demand; they have released for most of the affected products (except three) for replacement Customized credentials for default or hardcoded credentials.

The ICS-CERT side also pointed out that users can also take other defensive measures to minimize the risk of actual exploitation of this vulnerability. Related initiatives include:

• Close all unused ports on affected systems;
• Discontinue or limit the use of third-party software, such as email and web browser software, on the affected system, because it could broaden the attack surface of medical devices;
• Ensure that affected systems have applied the most current vendor-issued patches available;
• Restrict network access to affected systems and ensure they are not directly accessible from the internet;
• Follow best network design practices, such as implementing network segmentation, using network perimeters with properly configured firewalls to selectively control, and monitoring all traffic passed between zones and systems;
• Monitor and log all network traffic attempting to reach affected products for suspicious activity;
• When remote access is required, use secure methods such as virtual private networks, but recognize that VPNs may have vulnerabilities and should be updated to the most current version.

Source: careersinfosecurity