Researchers say they have found more than a dozen vulnerabilities in software used in medical devices and machinery used in other industries that, if exploited by a hacker, could cause critical equipment such as patient monitors to crash.
The research, shared exclusively with CNN, points to the challenges that hospitals and other facilities have had in keeping sensitive software updated as the resource-absorbing coronavirus pandemic continues. It’s also an example of how federal agencies are working more closely with researchers to investigate cybersecurity flaws that could affect patient safety.
Nearly 4,000 devices made by a range of vendors in the health care, government and retail sectors are running the vulnerable software, according to cybersecurity firms Forescout Technologies and Medigate, which discovered the issue.
There is no evidence that malicious hackers have taken advantage of the software flaws — and doing so would require prior access to networks in some cases, Forescout said. Siemens, the industrial firm that owns the software, has issued updates fixing the vulnerabilities.
Siemens worked with federal officials and the researchers to verify and address the vulnerabilities through software updates.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is expected to issue an advisory Tuesday encouraging users to update their systems in response to the report, according to researchers.
“It is important for medical device manufacturers to have a mechanism to quickly ascertain if their devices are affected,” Dr. Kevin Fu, acting director of medical device cybersecurity at the FDA’s Center for Devices and Radiological Health, told CNN.
After learning of the vulnerabilities, “We began working with our partners across all potentially affected critical infrastructure sectors, including in the health care sector, to inform potentially at-risk vendors of this vulnerability and provide guidance on remediating it,” CISA Deputy Executive Assistant Director for Cybersecurity Matt Hartman said in a statement to CNN.
The vulnerabilities affect versions of the Nucleus Real-time Operating System, a suite of software owned by Siemens that manages data across critical networks.
Fu said the vulnerabilities could affect a range of medical devices, but that it depends on what version of the software is running and whether the device is connected to the internet. In addition to patient monitors, certain anesthesia, ultrasound and x-ray machines could be affected by the software flaw, according to the research.
Forescout researchers tested the software vulnerabilities in a lab. In one case, they sent malicious commands to a building automation system used in hospitals, taking it offline and cutting off the lights and HVAC system in a mock hospital room, according to the research report. (For that to work in practice, a hacker would either need to be on the local hospital network already or the building automation device would need to be exposed to the internet.)
Elisa Costante, vice president of research at Forescout Technologies, told CNN that her research team wanted to highlight how aging software used in key industries needs to be closely examined for security flaws.
“Our smart world relies on legacy software” that is often harder to maintain, Costante said.
“Today, I have no evidence of this being exploited [by hackers] yet in the wild,” she added. “But do we really need to wait for something major to happen rather than create the awareness [needed to address the vulnerabilities]?”
The FDA has invested more in cybersecurity in recent years in an effort to address how the digitization of patient care opens up risks to hacking. The agency in June 2019 advised patients to stop using a certain insulin pump after researchers showed how a hacker might alter the pump’s settings.