Security Flaws in Legacy Medical Supply Systems SpotlightedExperts Say Vulnerabilities Are Common in Many Older Medical Devices
A new alert from the Department of Homeland Security regarding more than 1,400 software vulnerabilities in an older line of systems used to dispense medical supplies at hospitals spotlights the challenges involved in securing legacy equipment, including medical devices.
DHS' Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, on March 29 issued an advisory saying that two independent researchers, Billy Rios and Mike Ahmadi, in collaboration with CareFusion - which was recently acquired by Becton, Dickinson and Co. - have identified about 1,418 third-party software vulnerabilities in end-of-lifecycle versions of CareFusion's Pyxis SupplyStation system.
The Pyxis SupplyStation systems are automated supply cabinets used to dispense medical supplies that can document usage in real time, the alert notes.
The vulnerabilities found in the CareFusion system are important to spotlight because they represent the kinds of security problems commonly lurking in medical devices and other equipment, says Kevin Fu, associate professor of the electrical engineering and computer science department at the University of Michigan and CEO of Virta Laboratories, a start-up security vendor.
"1,400 [flaws] is noteworthy because it helps the risk managers at hospitals visualize the hidden complexity of all the software wrapped behind the beautiful plastic face plates of medical devices," he says. "Think of it as an ingredient list."
The recently discovered vulnerabilities illustrate the complicated issues that healthcare entities deal with in securing all the clinical equipment used in their environments, Fu says.
"Medical devices save lives, but complex software begins to resemble a stone soup of questionable provenance," he says. "I am not surprised to hear of thousands of flaws in a single device. We should continuously measure clinical environments for the effectiveness of compensating security controls built into medical devices. Only then can we meaningfully manage the risks."
In a statement provided to Information Security Media Group, Rios says that while the vulnerabilities do not appear to present immediate patient safety concerns, "there are certainly data security and privacy risks. Patient information is on these devices and is unencrypted within the Pyxis databases on the systems."
In explaining the risks posed by the vulnerabilities, ICS-CERT writes: "The Pyxis SupplyStation systems have an architecture that typically includes a network of units, or workstations, located in various patient care areas throughout a facility and managed by the Pyxis SupplyCenter server, which links to the facility's existing information systems. Exploitation of these vulnerabilities may allow a remote attacker to compromise the Pyxis SupplyStation system."
The SupplyStation system is designed to maintain critical functionality and provide access to supplies in 'fail-safe mode' in the event that the cabinet is rendered inoperable, according to the alert, which notes that manual keys can be used to access the cabinet if it is rendered inoperable. "An attacker with low skill would be able to exploit many of these vulnerabilities," the alert warns.
ICS-CERT notes that the vulnerabilities were found using an automated software composition analysis tool. "Because the affected versions are at end of-life-[cycle], a patch will not be provided; however, CareFusion has provided compensating measures to help reduce the risk of exploitation for the affected versions of the Pyxis SupplyStation systems," the report states.
Last year, ICS-CERT and the FDA issued warnings about security vulnerabilities in certain medication infusion pumps manufactured by another vendor, Hospira. The agencies warned the flaws potentially could allow an unauthorized user to alter the drug dose the devices deliver.
In that situation, FDA took the unusual step of advising hospitals to discontinue using the infusion pumps due to the potential safety risks posed to patients. Rios was one of the independent researchers who discovered those Hospira infusion pump vulnerabilities (see Medical Device Cybersecurity Risks: Measuring the Impact).
In the case of the CareFusion Pyxis SupplyStation systems, FDA says in a statement provided to ISMG, "the device that was the subject of the ICS-CERT is not considered a medical device by the FDA," so it's not under the regulator's authority.
Steps to Take
The ICS-CERT alert notes that "CareFusion has confirmed that the identified vulnerabilities are present in the Pyxis SupplyStation systems that operate on Server 2003/Windows XP ... which are no longer supported."
As a result of the identified vulnerabilities, CareFusion has started reissuing targeted customer communications, advising customers of end-of-life versions with an upgrade path, the alert notes.
"For customers not pursuing the remediation path of upgrading devices, CareFusion has provided compensating measures to help reduce the risk of exploitation. CareFusion recommends that customers using older versions of the Pyxis SupplyStation system that operate on these legacy operating systems should consider applying compensating measures, including:
- Isolating affected products from the Internet and untrusted systems; however, if additional connectivity is required, such as remote access, use a virtual private network;
- Monitoring and logging all network traffic attempting to reach the affected products for suspicious activity;
- Closing all unused ports on affected products;
- Locating medical devices and remote devices behind firewalls and isolating them from the business network;
- Ensuring all Microsoft patching and ESET virus definitions are up to date.
Becton Dickinson did not immediately respond to an ISMG inquiry about the approximate number of the older CareFusion Pyxis SupplyStation systems still in use at U.S. healthcare facilities. The company referred ISMG to a website posting advising users of the CareFusion Pyxis SupplyStation about upgrade considerations and security information for the legacy system.
Rios says vulnerabilities similar to those identified in the Pyxis equipment exist in many other vendors' legacy healthcare equipment and medical devices still in use at U.S. hospitals.
"While the Pyxis [situation] provides an excellent data point about the number of vulnerabilities within a medical device, it is by no means the exception. We ran similar analysis against other devices and discovered hundreds of vulnerabilities on those devices too," he says.
"At this point, hospitals have the burden of determining what the risk is to their organization. They'll have to conduct triage activities against all 1,400 vulnerabilities to determine what the risks are to their hospital," he says.
Addressing all the security vulnerabilities in healthcare equipment and medical devices that can potentially put other IT systems and possibly patients at risk is daunting for many organizations, Rios says.
"Imagine you are a CIO for a hospital. You are purchasing devices with hundreds, possibly thousands of known vulnerabilities. The CIO can't stop using the device as they help provide patient care," he says. "There are thousands of devices within a modern hospital and you're being asked to secure the devices, protect patient data, and help deliver effective patient care. We're putting hospitals in an untenable position when it comes to securing medical devices."
An important step, Rios says, is for hospitals to isolate an affected, vulnerable device from the network. "If this were the only device that had major security issues, it wouldn't be too bad, but pretty much every device has serious security issues," he says.
The current cybersecurity situation "essentially requires hospitals to place every device - Pyxis, infusion pumps, patient monitoring, anesthesia, MRI, etc. - on its own isolated network. This makes a hospital IT and biomed network impossible to manage," he says.