- The U.S. Cybersecurity and Infrastructure Security Agency has issued an alert about critical vulnerabilities in Siemens software that could potentially impact millions of medical devices from multiple manufacturers.
- The cyber agency, following the lead of the researchers who identified the weaknesses, scored one of the vulnerabilities 9.8 on a 10-point risk scale, reflecting the potential for hackers to disrupt the operation of critical medical devices such as anesthesia machines and bedside monitors. To date, there are no known attacks that have specifically targeted the vulnerabilities.
- CISA's alert states that Siemens has released updates for several of the affected products and the company is advising users of unpatched devices to take countermeasures but "has not identified any additional specific workarounds or mitigations." A Siemens Healthineers spokesperson in an emailed statement said the company is aware of the vulnerabilities and is investigating to identify if any of its products are affected.
Forescout Research Labs, with support from Medigate Labs, first identified the weaknesses. The researchers discovered a set of 13 vulnerabilities that affect Siemens' software, which is often used in computers embedded in larger systems such as medical devices. The vulnerabilities, which range from a moderate 5.3 to a critical 9.8 on the risk scale, could cause denial of service, information leaks or the execution of remote code.
Anesthesia machines, ventilators and patient monitors are among the medical devices possibly impacted. Forescout researchers used various techniques to estimate the number of devices affected by the vulnerabilities, known collectively as Nucleus:13, and discovered evidence of the use of the software in Zoll defibrillators, Zonare ultrasound devices, a GE Healthcare anesthesia machine and a Nihon Kohden bedside monitor.
GE has already evaluated the impact of Nucleus:13 on its devices, completing assessments of the "limited number" of subcomponents that use the software. "The product teams have evaluated the security design and mitigating controls. Given these design controls and mitigations in place GE Healthcare has determined these products are not impacted by these vulnerabilities," GE wrote.
A Siemens Healthineers spokesperson said the company continues to "monitor the issue as it develops and might notify customers, if it is necessary, through Siemens Healthineers teamplay Fleet customer online portal."
FDA wants all manufacturers to assess their exposure to these vulnerabilities in the Siemens software that was originally released in 1993.
"It is important for medical device manufacturers to have a mechanism to quickly ascertain if their devices are affected," Kevin Fu, acting director of medical device cybersecurity at the FDA's Center for Devices and Radiological Health, told CNN, the first outlet to report the news.
An assessment performed by Forescout identified more than 2,200 healthcare devices vulnerable to the cybersecurity weaknesses. The number of affected devices is more than twice that in any other industry. Across all industries, the researchers identified "close to 5,500 devices from 16 vendors in 127 customers."
CISA is advising users to take defensive measures to cut the risk of the vulnerabilities being exploited and to update vulnerable devices once updates are available.
Nick Yuran, CEO of security consultancy Harbor Labs, said none of his clients use the affected version of the Nucleus stack but sees it as yet "another wake-up call" for the medtech industry about the hidden risks in older legacy medical devices.
"We often find these same classes of vulnerability being repeated across different software platforms of the same era. Based on the age of Nucleus, some of the affected devices could have been in clinical use with these vulnerabilities for more than 20 years," Yuran said.
The three most severe vulnerabilities described in Nucleus:13 all allow the attacker to launch a denial-of-service attack or perform remote code execution, Yuran warned, which are all "potential security outcomes that have historically led regulators to intervene with a strong hand."
The good news is that most of the classes of medical devices affected by the vulnerabilities are "commonly either not networked, or are shielded and isolated on their own network segments," Yuran added.
Greg Slabodkin contributed reporting.