The Department of Homeland Security has issued an alert over vulnerabilities in Siemens medical imaging devices. The vulnerabilities could be exploited remotely and attacks would require only a low level of skill.
Exploits are publicly available that could allow malicious actors to take advantage of the vulnerabilities in Siemens medical imaging devices and remotely execute arbitrary code. The vulnerabilities have been discovered in Siemens medical imaging systems running Windows 7: Siemens PET/CT systems, SPECT/CT systems, SPECT systems and SPECT Workplaces/Symbia.net are all vulnerable.
Siemens is currently working on patches to correct the vulnerabilities, although until those patches have been issued and applied, healthcare organizations that use the above medical imaging systems should take steps to mitigate risk.
If the vulnerabilities are exploited, malicious actors could install information-stealing malware, ransomware, alter the settings on the devices to cause patients to be harmed, or use the devices to launch attacks on other parts of the network.
The flaws are not in the Siemens devices, but in the third-party systems on which the devices operate. These flaws are not new either. They have existed in most cases for at least two years. The recent WannaCry and NotPetya attacks have demonstrated that cybercriminals are actively exploiting vulnerabilities and further ransomware attacks can be expected.
The DHS’ Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has strongly advised healthcare organizations to assess the potential impact of these vulnerabilities and take action to mitigate risk.
Siemens has also issued a warning, suggesting that provided patient safety is not at risk, to disconnect the devices from the network and operate them in standalone mode. Healthcare organizations should only reconnect the devices to the network once the patches have been made available.
Due to the risk of ransomware and potential loss of PHI stored on the devices, healthcare organizations have also been advised to make backups of all data.
Siemens will be releasing patches this month and will be applying the patches remotely to devices that have remote update handling capability. Healthcare organizations have been advised to contact their Siemens customer care center regarding the availability of patches to find out when their systems should be reconnected to the Internet to receive those patches.
Healthcare organizations can reduce risk from medical device vulnerabilities such as these by minimizing network exposure, ensuring the devices are not accessible over the Internet, locating the devices behind firewalls and isolating them from the business network. If remote access is required, healthcare organizations should use a VPN.