The US Department of Homeland Security (NHS) has launched an information security alert related to some medical solutions developed by the tech companies Philips and McKesson, technology sold by Change Healthcare.
The alert is related to a critical vulnerability
in a cardiovascular analysis system that allows cardiologists to collect data
from multiple sources for each patient, allowing all medical personnel to
easily access this information. The flaw has received a score of 7.8/10 on the
Common Vulnerability Scoring System (CVSS) scale, making it a serious security
issues.
According to information security experts,
exploiting this vulnerability could allow hackers to execute arbitrary code,
compromising the analysis systems used by cardiologists, hackers could even
access the information stored in these systems or even alter the results of an
ultrasound or cardiovascular analysis.
Several generations of cardiology computer
systems sold by McKesson and Change Healthcare could be affected by the
vulnerability. Companies are working to quickly address the vulnerability,
while experts advise users to review their firewall settings in detail, as well
as disabling accounts that are not critical to the hospital operations.
Moreover, DHS released a second security alert regarding a flaw in Philips HDI 4000 ultrasound systems, running the Windows 2000 operating system and older ones. If exploited, this flaw would allow hackers with a presence on local sub networks to access the images generated by these systems.
One of the main causes of this inconvenience is
that Philips stopped releasing support for these devices almost six years ago,
so the vulnerability will not be corrected. Instead, users of these systems are
advised to invest in upgrading their ultrasoud equipment, to work with an
operating system that is still being maintained. In case it is not possible to
purchase new equipment, information security experts recommend that hospitals
restrict access to these systems as much as possible, eliminating unused
accounts and updating access credentials.
This is the third information security alert
related to Philips medical systems this year; previously, the flaws were
related to the company´s Tasy Electronic Medical Record System. On the other
hand, this is the second time Change Healthcare is notified on security errors
in its products.
Although not the most common targets, information
security specialists from the International Institute of Cyber Security (IICS)
say that the tendency to look for weaknesses in the technological infrastructure
of hospitals for malicious purposes has increased recently. A couple of weeks
ago, news of the ransomware
attack against a hospital group based in France raised; as a result of the
attack, systems of a clinic for more than a hundred patients were completely
shut down, so administrative staff and medical professionals had to improvise
to keep operations at a relatively normal level.
