Medical devices have never been subjected to much security testing – a fact that the FDA may argue with, but which is visibly accurate.
This time it is GE’s CIC Pro, a workstation that hospital staff uses to manage multiple GE patient devices on a ward. They can use the device to monitor patients or change patient settings.
Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) published an alert for a series of 6 vulnerabilities together called MDHex. These vulnerabilities would allow a hacker to compromise the CIC Pro and from there, the patient information.
CISA rates vulnerabilities on a 1 to 10 scale with 10 being the scariest. FIVE OUT OF SIX of the vulnerabilities were rated 10. The other was rated 8.5 – pretty serious.
The number of devices vulnerable was not disclosed by GE but is thought to be in the hundreds of thousands.
GE plans to release patches “in the coming months”. In the mean time, hope your hospital isn’t hacked.
This is a rampant problem with Internet of Things (IoT) devices because they are cost sensitive and Industrial Internet of Things (IIoT) devices (like the patient monitor) because they were never designed to be on the Internet. The workstation line was launched in 2007, well before anyone worried about the Internet of Things and apparently it runs on Windows XP, which has not been supported by Microsoft since 2014.
There are some things you can do if you have IoT or IIoT devices in your company:
- Make sure you have a complete and current inventory of all of your IoT and IIoT devices
- Understand what software runs in them, who is responsible for patching them, whether patches are even available. This includes what libraries were used by the developers. An old unsupported library is the source of one of the vulnerabilities above
- Isolate all IoT and IIoT devices from your IT network
- Consider whether any individual IoT or IIoT device is sensitive enough or its software is risky enough to separate it from everything else
- Build a patching program for your IoT and IIoT devices – whether it is the responsibility of you or a vendor. If it is a vendor, manage the vendor closely.
- Watch for alerts for vulnerabilities published – by vendors, researchers, the government and others – for devices that are part of your network.
- If you have a vendor supporting the devices (could be the manufacturer or someone else), review your contract to see what it says about who is responsible for security, privacy and even more importantly, who is liable in case of an attack or a breach.
At least this is a start.
Source: ZDNet Dark Reading