Electronics and health technology provider Philips has reported a vulnerability to the Cybersecurity and Infrastructure Agency (CISA) in its ultrasound medical devices, which allows threat actors to take control of the medical devices, remotely.
In an official statement, CISA stated that the vulnerability “CWE-288” was identified in Ultrasound ClearVue, Ultrasound CX, Ultrasound EPIQ/Affiniti, Ultrasound Sparq, and Ultrasound Xperius devices. “Successful exploitation of this vulnerability may allow a non-authenticated attacker to view or modify information. An attacker may use an alternate path or channel that does not require authentication of the alternate service login to view or modify information,” CISA said in a statement.
Philips corrected the flaws for Ultrasound EPIQ/Affiniti Version VM6.0 and is planning to release patches for Ultrasound ClearVue Version 3.3, Ultrasound CX Version 5.0.3, and Ultrasound Sparq Version 3.0.3 in Q4 2020.
To mitigate the risk of exploitation of the vulnerability, CISA recommends a few preventative measures, these include:
- Implement physical security measures to limit or control access to critical systems
- Restrict system access to authorized personnel only and follow a least privilege approach
- Apply defense-in-depth strategies
- Disable unnecessary accounts and services
- Where additional information is needed, refer to existing cybersecurity in medical device guidance issued by the FDA
Health Care Devices at Cyber Risk
A research from Atlas VPN revealed that majority of health care organizations in the U.S. are running their medical devices on outdated software and operating systems, leaving them vulnerable to cyberattacks. The research found nearly 83% of health care providers in the U.S. that are running on outdated software. More than 40% of health care providers stated that they were planning to enhance their cybersecurity measures this year. The research also revealed that 27% of medical devices are still running Windows XP or old versions of Linux OS. Nearly 16% of imaging systems are at 51% risk of getting hacked.
Due to the severity of the Coronavirus threat, the health care sector leaves several connected medical devices vulnerable to potential cyberthreats.