Medical Device Vulnerabilities: Medical Scanners Increase the Number of Vulnerable Equipment
Vulnerabilities with computer systems have been well-known in the industry over the years. The number and risk associated with these have varied over time. The vulnerabilities have appeared in PCs at the user’s home, with work computers, medical record databases, consumer credit files, credit card processing systems, and many more instances. The attackers seemingly have been more focused on the medical field over the last two years as these attacks have proven to be profitable for the attacking parties. This has manifested itself with ransomware and malware at the hospitals. The medical field has a variety digital assets to choose from to attempt and exfiltrate, including the obvious medical records, and also insurance information along with other PII such as address, social security number, and other items that are marketable. The latest victim in this endeavor have been the Siemens medical scanners.
Unfortunately, it is not difficult to exploit the vulnerability. These exploits have been published in the public. Siemens have also taken this very seriously, as evidenced by them assigning this issue a 9.8/10.0 on the Common Vulnerability Scoring System (CVSS). Although the vulnerability score is high, the company did not believe this would impact the patients or their safety. The targeted systems were operating on an old version of Windows, which certainly did not assist with the situation. These were on Windows 7 machines running Siemens PET (Positron Emission Tomography), CT (Computed Tomography), and SPECT (Single Photon Emission Computed Tomography). Per Siemens, the patches for this were to have been pushed by the end of August.
Siemens has been monitoring the situation. There have been no signs present of an attack or compromise per Siemens. A successful compromise would allow the attacker to insert and execute any code the attacker wished, which seemingly is relatively serious. Also this would allow a buffer overflow to elevate privileges.
This issue is likely only to continue and grow in number of occurrences. As the medical field has not been overly focused on equipment cybersecurity, this provides an easier attack.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.