Older Medical Devices Have Serious Security Flaws Legacy Medical Supply Systems Spotlighted.

The Department of Homeland Security has issued a new alert regarding more than 1,400 software vulnerabilities in an older line of systems used to dispense medical supplies at hospitals. This alert highlights the challenges involved in ensuring security in legacy equipment, including medical devices.

DHS’ Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, issued an advisory on March 29 stating that independent researchers have identified about 1,418 third-party software vulnerabilities in end-of-lifecycle versions of CareFusion’s Pyxis SupplyStation system.

Complex Issues

The vulnerabilities found in the CareFusion system are important to spotlight because they represent the kinds of security problems commonly lurking in medical devices and other equipment. Healthcare providers should continuously measure clinical environments for the effectiveness of compensating security controls built into medical devices. Currently the vulnerabilities do not appear to present immediate patient safety concerns; however, there are certainly data security and privacy risks. Patient information is on these devices and is unencrypted within the Pyxis databases on the systems.

Exploitable Flaws

According to ICS-CERT: “The Pyxis SupplyStation systems have an architecture that typically includes a network of units, or workstations, located in various patient care areas throughout a facility and managed by the Pyxis SupplyCenter server, which links to the facility’s existing information systems. Exploitation of these vulnerabilities may allow a remote attacker to compromise the Pyxis SupplyStation system.” ICS-CERT also notes, “An attacker with low skill would be able to exploit many of these vulnerabilities.”

Because the affected versions are at the end of their lifecycle, a patch will not be provided; however, CareFusion has provided compensating measures to help reduce the risk of exploitation for the affected versions of the Pyxis SupplyStation systems.

For customers not pursuing the remediation path of upgrading devices, CareFusion has provided compensating measures to help reduce the risk of exploitation. CareFusion recommends that customers using older versions of the Pyxis SupplyStation system that operate on these legacy operating systems should consider applying compensating measures, including:

  • Isolating affected products from the Internet and un-trusted systems; however, if additional connectivity is required, such as remote access, use a virtual private network;
  • Monitoring and logging all network traffic attempting to reach the affected products for suspicious activity;
  • Closing all unused ports on affected products;
  • Locating medical devices and remote devices behind firewalls and isolating them from the business network;
  • Ensuring all Microsoft patching and ESET virus definitions are up to date.

It’s important to be aware that vulnerabilities similar to those identified in the Pyxis equipment also exist in many other vendors’ legacy healthcare equipment and medical devices that are still in use at a number of U.S. hospitals.

If you have any questions about the state of your IT security, call ITPAC today.