- ICS-CERT is warning about cybersecurity vulnerabilities in Roche point-of-care handheld medical devices.
The devices, which go by the names Accu-Chek and CoaguChek, suffer from improper authentication, OS command injection, unrestricted upload of file with dangerous type, and improper access control vulnerabilities.
The improper authentication vulnerability could enable attackers in an adjacent network to gain unauthorized access through a service interface. The OS command injection vulnerability could allow authenticated attackers in the adjacent network to execute arbitrary commands on the operating system.
The unrestricted upload of file with dangerous type vulnerability could enable an attacker in an adjacent network to overwrite arbitrary files on the system through a crafted update package. The improper access control vulnerabilities could enable an attacker in the adjacent network to execute arbitrary code on the system through a crafted message and to change the instrument configuration.
Niv Yehezkel of Medigate reported these vulnerabilities to Roche.
The specific models that are vulnerable include Accu-Chek Inform II, CoaguChek Pro II, CoaguChek XS Plus, CoaguChek XS Pro, and cobas h 232 POC, as well as their related base units, base unit hubs, and handheld base units.
The Accu-Chek Inform II system is a blood glucose meter with wireless RF functionality for patient glucose testing and monitoring in hospitals. The CoaguChek systems enable healthcare professionals to make real-time adjustments to anticoagulation therapy for patients.
Roche recommended the following mitigation procedures for connected devices:
- Restrict network and physical access to the device and attached infrastructure by enabling the device security features
- Protect connected endpoints from unauthorized access, theft, and malicious software
- Monitor the system and network infrastructure for suspicious activity and report a suspected compromise according to local policy
For non-connected devices, Roche advised organizations to protect them from unauthorized access, theft, and manipulation.
For all affected products, Roche has scheduled release of new software updates with availability beginning this month.
The National Cybersecurity and Communications Integration Center (NCCIC) advised Roche device users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Users should minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. In addition, users should locate control system networks and remote devices behind firewalls and isolate them from the business network.
NCCIC recommended that organizations perform proper impact analysis and risk assessment prior to deploying defensive measures.
HealthcareITSecurity recently spoke with a number of experts about the challenge of securing medical devices.
“When it comes down to it, everybody really does want the patients to be treated safely and securely,” said MITRE IT and Cybersecurity Integrator Penny Chase. “But there’s a lot of work to be done, and the bad guys are always ahead of us. We really need to figure out how we can come together and better protect ourselves.”
Chase advised hospitals to segment their networks so that critical medical devices are on a separate network from the organization’s main network to ensure continuity in case a problem strikes the larger network and to prevent compromised medical devices from being used as an entry point into the larger network.
“We are concerned about the times when malware or ransomware attacks can affect the clinical operations of an entire healthcare organization by shutting down equipment. That is an area that certainly we’re paying very close attention to,” said Suzanne Schwartz, FDA Associate Director for Science and Strategic Partnerships at the Center for Devices and Radiological Health.
“We have seen over the past few years some really substantial progress, and we are encouraged by what we’ve seen across the ecosystem with regard to manufacturers really being champions in certain areas, as well as working together with healthcare delivery organizations,” said Schwartz.