- Possible medical device vulnerabilities, specifically within medical imaging products, have been identified, according to an advisory from the Department of Homeland Security’s (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
Siemens identified four vulnerabilities within its Molecular Imaging products running on Windows 7.
“The exploitability of the vulnerabilities depends on the actual configuration and deployment environment of each product,” Siemens explained in its own advisory. “Siemens is working on updates for affected products and recommends specific countermeasures until fixes are available.”
The affected products are used in clinical environments for diagnostic imaging purposes, and include the following:
- Siemens PET/CT Systems: All Windows 7-based versions
- Siemens SPECT/CT Systems: All Windows 7-based versions
- Siemens SPECT Systems: All Windows 7-based versions
- Siemens SPECT Workplaces / Symbia.net: All Windows 7-based versions
While Siemens works on necessary updates, it urged organizations to run the potentially affected devices in a dedicated network segment and protected IT environment.
However, the advisory added that entities should disconnect the product from the network and use it in standalone mode if patient safety and treatment are not at risk.
Reconnect the product only after the provided patch or remediation is installed on the system. Siemens Healthineers is able to patch systems capable of Remote Update Handling (RUH) much faster by remote software distribution compared to onsite visits. Therefore customers of RUH capable equipment are recommended to clarify the situation concerning patch availability and remaining risk in the local customer network with the Siemens Customer Care Center first and then to re-connect their systems in order to receive patches as fast as possible via Remote Update Handling.
Siemens also recommended that organizations ensure they have appropriate backups and system restoration procedures in place. Furthermore, entities can reach out to their local Siemens Healthineers Customer Service Engineer, portal, or resource center to learn specific patch and remediation guidance information.
ICS-CERT suggested the following steps for users to ensure medical device security:
- Minimize network exposure for all medical devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate all medical devices and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Medical device cybersecurity is quickly becoming a national issue, especially as large-scale cybersecurity attacks and ransomware campaigns show that affected devices could impact patient safety, along with data security.
Just last week, legislation was introduced to better protect sensitive patient information and to create stronger cybersecurity protections for connected devices.
Senator Richard Blumenthal introduced The Medical Device Cybersecurity Act of 2017 (S. 1656).
“The security of medical devices is in critical condition,” Blumenthal said in a statement. “My bill will strengthen the entire health care network against the ubiquitous threat of cyberattacks. Without this legislation, insecure and easily-exploitable medical devices will continue to put Americans’ health and confidential personal information at risk.”
The bill will bolster remote access protections for medical devices in and outside of the hospital, and will ensure that needed cybersecurity updates do not require FDA certification.
Furthermore, the legislation aims to provide guidance and recommendations for end-of-life devices and to expand ICS-CERT responsibilities to include the cybersecurity of medical devices.
The bill has already garnered stakeholder support, with CHIME Board Chair Liz Johnson saying that medical device cybersecurity is a complicated issue. Patients must be able to “receive the benefits that medical devices offer without exposing them to potential safety risks.”
“CHIME is pleased to endorse this legislation. We look forward to continuing a dialogue with members of Congress, the administration and industry partners on this critical issue,” Johnson said in a statement.