Cybersecurity vulnerabilities have been identified in third-party software for Canon Medical’s Vitrea View product, potentially putting patient information in jeopardy, according to a security advisory released Thursday by cybersecurity firm Trustwave Spiderlab.
A Trustwave researcher discovered two vulnerabilities in Vitrea View that could allow an attacker to access patient information, potentially modify information, and gain access to sensitive information and credentials for other services integrated with the platform.
Vitrea View is a tool that's used to view medical images and other documents. Canon Medical did not respond to a request for comment by publication.
Trustwave said in an emailed statement that equipment originally used to create the images, such as x-ray scanners or MRI machines, cannot be impacted.
“This vulnerability only potentially affects the access, viewing, and updating of any medical imaging information integrated with the Vitrea platform,” the company said in the statement. “The images are also associated with a patient’s records, so there could potentially be a wealth of information that might be exfiltrated (damaging a patient’s confidentiality) or modified (swapping a patient’s medical images with another, deleting records, or potentially modifying patient information directly).”
Trustwave has contacted Canon Medical about the vulnerabilities, and the company has developed a patch to fix the issues in version 7.7.6, according to the advisory. Trustwave said it has not notified the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
“Actual exploitation would likely require a bit of reconnaissance and specific targeting to trigger something more than a pop-up alert which we show as a proof of concept in the post,” the cyber firm said in the statement. “Given the relative low risk of this vulnerability, we have not notified CISA.”
Trustwave said in a statement that it does not have access to how many patient records or Cannon Medical customers were potentially at risk due to the vulnerabilities.
Jordan Hedges was the Trustwave researcher to identify the issues.
Securing medical devices has become an important topic in the industry as cyber attackers have focused on healthcare. The FBI recently warned that older, legacy devices, some of which were not designed with cybersecurity in mind, could present a threat to patient safety and hospital operations.
In April, the Food and Drug Administration released guidance for cybersecurity in medical devices. One recommendation is called a Software Bill of Materials (SBOMs), a readable inventory of software components that make up a medical device, including third-party software.
Advocates of SBOMs say that it will allow users to know what vulnerabilities are in devices currently being used, while critics say they provide that same information to hackers.
This story was updated to include a statement from Trustwave Spiderlab.