PwnedPiper Vulnerabilities Impact Over 3K Hospitals in North America

August 04, 2021 - Critical vulnerabilities are impacting the pneumatic tube systems of over 3,000 hospitals in North America, according to a new report. 

The US Cybersecurity and Infrastructure Security Agency (CISA) released an Industrial Control Systems Medical Advisory on August 3 on the PwnedPiper, which refers to nine critical vulnerabilities impacting hospitals.  

According to a new report by Armis researchers, the vulnerabilities impact the pneumatic tube systems (PTS) in North America – the Translogic PTS system by Swisslog Healthcare.  

“This system is used in over 80% of hospitals in North America, and installed in more than 3,000 hospitals worldwide,” the Armis report states. “PTS systems play a crucial role in patient care and are utilized nearly 100% of the time.” 

Armis, an information security company, states that PwnedPiper can allow for “complete takeover of the Translogic Nexus Control Panel, which powers all current models of Translogic PTS stations. Older IP-connected Translogic stations are also impacted but are no longer supported by Swisslog.” 

“The system is responsible for delivering medications, blood products, and various lab samples across multiple departments of a hospital,” the Armis report notes. “The discovered vulnerabilities can enable an unauthenticated attacker to take over PTS stations and gain full control over the tube network of a target hospital. 

A vulnerability could “enable sophisticated and worrisome ransomware attacks, as well as allow attackers to leak sensitive hospital information,” the report notes.  

CISA is recommending that users take “defensive measures to minimize the risk of exploitation of these vulnerabilities.” 

Armis reported the vulnerabilities to Swisslog on May 1, according to the report.  

“Armis disclosed the vulnerabilities to Swisslog on May 1, 2021 and has been working with the manufacturer to test the available patch and ensure proper security measures will be provided to customers,” Ben Seri, Armis VP of Research, who leads the team that discovered the vulnerabilities said in report. “With so many hospitals reliant on this technology we’ve worked diligently to address these vulnerabilities to increase cyber resiliency in these healthcare environments, where lives are on the line.” 

Swisslog Healthcare also released a statement on August 3 regarding the issue, noting that the vulnerabilities are limited to the “HMI-3 circuit board inside of NexusTM Panels when connected using an Ethernet connection. These pneumatic tube systems are deployed primarily in hospitals within North America.” 

Jennie McQuade, Chief Privacy Officer for Swisslog Healthcare, said in the statement that vulnerabilities only exist when a combination of variables exists.  

“The potential for pneumatic tube stations (where the firmware is deployed) to be compromised is dependent on a bad actor who has access to the facility’s information technology network and who could cause additional damage by leveraging these exploits,” McQuade states.  

The company has “researched, reviewed, and confirmed potential vulnerabilities which could impact healthcare facilities currently using hardware containing the HMI3 panel when connected via Ethernet,” she states.  

“A total of eight vulnerabilities have been detected,” she says. “All but one of these were subsequently removed in a software release containing updated firmware. Mitigations for the remaining vulnerability were made. Details on mitigations are documented in the company’s Network Communications and Deployment Guide which is readily available to customers.” 

McQuade said Swisslog Healthcare makes privacy and security of its customer data the highest priority.  

“Swisslog Healthcare is committed to continually monitoring our security programs and industry trends to offer proactive protection to our customers,” she states. “We are grateful to be a trusted provider of healthcare institutions around the world.” 

The Swisslog Customer Care Team is available to current customers 24 hours, 7 days a week, to answer any questions, by calling 800-396-9666.