The Division of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued a notice about weaknesses in Siemens CT as well as PET digital scanner systems. Healthcare businesses have been put on warning as well as notified that there are publicly available misuses for all four of the weaknesses. If abused, hackers would be capable to alter the functioning of the devices, possibly placing patient security at risk. Data stowed on the systems would be accessible, malware might be downloaded, and the appliances could be utilized to attack the networks to which the appliances connect. The vulnerabilities can be abused remotely with no user interaction required.
The vulnerabilities aren’t in Siemens systems, however, the platform on which the methods operate – Windows 7. The vulnerabilities were there for the past two years and disturb the below mentioned Siemens PET/CT systems:
- Siemens CT Systems
- Siemens PET Systems
- Siemens SPECT/CT systems
- Siemens SPECT Systems
- Siemens SPECT Workplaces/Symbia.net
There are 2 code injection vulnerabilities, one improper limitation of operations within the limits of a memory buffer, and one weakness pertaining to rights, consents, as well as access controls. All 4 weaknesses have been provided a CVSS v3 score of 9.8 out of 10.
Siemens has not yet issued bits to rectify the vulnerabilities even though they are presently being developed. In the intervening time, it’s important for healthcare businesses to take steps to safeguard the devices, the most essential of which is to disconnect the appliances from the network and operate them in standalone mode, provided this doesn’t jeopardize patient treatment/safety.
The appliances should remain disconnected from the network until the bits for vulnerabilities have been issued. Those bits will be pushed out by Siemens as well as will be operated automatically. Healthcare businesses ought to deliberate with their native facility center to find out when the bits are accessible so they know when to reconnect their appliances to have the bits installed.
ICS-CERT also suggests locating the devices behind firewalls as well as separating them from other parts of the computer network. Healthcare businesses that require accessing the devices distantly should do utilizing a VPN, although VPNs might pose a safety risk. ICS-CERT recommends modernizing VPNs to the latest version before utilizing them to link to the appliances.