Products sold by Philips and a McKesson joint venture were the subjects of Department of Homeland Security cybersecurity alerts issued Thursday.
The McKesson alert, which relates to a cardiovascular IT system, is the more serious of the two notices, scoring 7.8 out of 10 on the scale used to assess cybersecurity vulnerabilities. That score reflects the potential for a low-skilled hacker to get the system to execute code.
The Philips notice, scored at a 3.0, covers the potential for someone on the same local subnetwork as an old ultrasound system to access images.
McKesson’s technology, which is now sold by the Change Healthcare joint venture it created in 2016, enables cardiologists to gather data from multiple sources into single cardiac files for every patient and make the information available to the entire care team.
Through the vulnerability, attackers can “execute unauthorized arbitrary code.” The alert does not unpack the implications of that phrase in the context of the cardiology system. Generally speaking, arbitrary code may enable hackers to run a wide range of commands, including those that give them access to files stored on the systems.
Multiple generations of cardiology IT systems sold by McKesson and Change Healthcare suffer from the vulnerability. Change Healthcare is patching systems to address the weakness. In the meantime, users are advised to keep the devices behind firewalls and disable unnecessary accounts.
The second cybersecurity alert issued by DHS details a problem with Philips HDI 4000 ultrasound systems that run Windows 2000 and other old operating systems. The exploit enables an attacker on the local subnetwork to view images.
Philips stopped supporting the devices at the end of 2013. As such, the vulnerability will not be fixed. DHS recommends users consider buying newer ultrasound equipment that runs on a still-supported operating system. Failing that, users are advised to ensure only authorized personnel have access to the system and to disable unnecessary accounts.
The alert is the third issued about a Philips product this year after notices regarding its Tasy Electronic Medical Record and Holter 2010 Plus. The Change Healthcare alert is the second received by either it or McKesson, the previous one being issued last October.