- Security researcher Dan Regalado at Zingbox uncovered the same cybersecurity vulnerability — information exposure through an error message — in two medical devices made by different manufacturers.
Regalado then notified the National Cybersecurity and Communications Integration Center (NCCIC) about them.
For Carestream Vue RIS, ICS-CERT warned that when contacting a Carestream server where there is no Oracle TNS listener available, users will cause an HTTP 500 error. This could result in the leak of technical data an attacker could use to launch a more serious cyberattack.
Carestream has fixed the problem in the current version of the software, RIS v 11.3. It has also provided workarounds for previous software versions affected by the vulnerability.
For RIS v11.2 running Windows 8.1 and IIS 7.2, Carestream advises users to disable “Show debug messages” and enable SSL for client/server communications.
Regarding the Change Healthcare PeerVue web server, attackers who exploit the vulnerability could get technical information that they could use to target an organization’s systems.
Users should contact the Change Health support team for information about getting a patch for the vulnerability.
NCCIC recommended users take defensive measures to minimize the risk of exploitation of the vulnerability:
- Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the internet.
- Locate control system networks and remote devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as virtual private networks.
NCCIC advised organizations to perform an impact analysis and risk assessment prior to deploying defensive measures.
To address vulnerabilities in medical devices, the Medical Device Innovation Consortium (MDIC) has produced a report that encourages the adoption of coordinated vulnerability disclosure (CVD) policies and processes by medical device manufacturers.
MDIC collaborated with law firm Debevoise & Plimpton, advisory services firm Alvarez & Marsal, the FDA, and the medical device community in compiling this report.
“CVD policies establish formalized processes for obtaining cybersecurity vulnerability information, assessing vulnerabilities, developing remediation strategies, and disclosing the existence of vulnerabilities and remediation approaches to various stakeholders — often including peer companies, customers, government regulators, cybersecurity information sharing organizations, and the public,” the report explained.
CVC policies significantly reduce cybersecurity risks to medical device manufacturers, patients, and healthcare organizations, the report noted.
“This paper advances an incredibly important topic in medical device cybersecurity — the adoption of coordinated vulnerability disclosure policies and processes,” said Suzanne Schwartz, associate director for science and strategic partnerships at the FDA’s Center for Devices and Radiological Health.
“The FDA appreciated the opportunity to work with MDIC in developing this paper to better understand the barriers impeding adoption and to help influence conversations among medical device manufacturers about the value of working with security researchers and others who identify vulnerabilities so that the cybersecurity risk to products can be addressed in a timely and coordinated manner,” Schwartz added.
The report is based on the feedback from interviews with large and small medical device companies, security researchers, representatives of medical device trade associations, and FDA officials. It includes an assessment of publicly available information issued by FDA and other stakeholders.
Randy Schiestl, vice president of research and development at Boston Scientific and member of MDIC’s Board of Directors and Cybersecurity Steering Committee, commented: “This report encourages companies to leverage the benefits of a defined disclosure process as we work with critical stakeholders to advance medical device product security. The report provides unique insights from many perspectives, including legal, for embracing coordinated disclosure.”
MDIC CEO and President Pamela Goldberg concluded: “MDIC is focused on making meaningful contributions to advance medical device cybersecurity. The information in the report will better position medical device companies to establish their own cybersecurity portal systems as mechanisms for detecting cybersecurity threats, as well as aiding in their response process.”