Siemens and the Department of Homeland Security’s Industrial Control System Computer Emergency Response Team (ICS-CERT) has issued an alert, warning about potential medical device vulnerabilities which are likely to affect in certain Siemens medical molecular imaging products running on Windows 7. Siemens identified four vulnerabilities inside its Molecular Imaging products in a customer alert on July 26 by giving them a rating of 9.8 out of 10 using the Common Vulnerability Scoring System.
ICS-CERT warned that these systems are publicly available exploits, enabling hackers to remotely execute arbitrary codes and possibly damage and/or compromise the safety of the systems.
Magnitude of the Attack
Among the affected systems, Siemens PET/CT, SPECT/CT, SPECT scanners, and medical imaging workflow systems were established to be running on Windows 7. Whereas, the company’s standalone CT scanners is were found unaffected. While the Germany-based company is working on updates for patching these affected products, it already issued an advisory recommending the users to use protected or dedicated network access and IT environments to run these affected devices through suitable mechanisms.
The company recommends that if these measures cannot be employed, then disconnect the product from the network and use them in standalone mode. The product must be reconnected only after a software patch is installed in the system.
Siemens also wants the customers to ensure appropriate back up and system restoration measures, and get in touch with the local Siemens support center for the particular patch and remedy assistance information. The software update is anticipated to be available soon in August. While a spokesman told ISMG (Information Security Media Group) that these vulnerabilities will not result in any eminent patient risks related to the existing controls of these devices and use conditions, some security experts, on the other hand, worry that the probable risk to patients is severe.
Security for Medical Devices becomes Hypercritical
Medical device cyber security is rapidly appealing as a national issue, since the attacks that affected Siemens’ devices might influence the need for patient safety infused with data security. Legislations have been announced to protect electronic medical records and other patient-related data, and to create sturdier cyber security fortifications for connected devices.
Meanwhile, a lot of hospitals and clinics don’t have basic security necessities making systems like the Siemens scanners, above all, more vulnerable to cryptoransomwares and other malware attacks. Spreading across the networks, hackers can easily deploy such malwares for extracting data, for the reason that medical systems habitually share the same network as administrative systems. In this situation, a simple click on an email attachment can trigger a breach, which can consequently damage devices. A hacking setup that compels the user to open an unpatched legacy Web server software could also trigger a breach, which could even shut hospitals down.