A critical vulnerability found in a range of Hillrom Welch Allyn Cardio medical devices could enable unauthorized privileged account access, according to an alert from the Department of Homeland Security Cybersecurity and Infrastructure Security Agency.
Hillrom reported the flaw to CISA. Like other medical device vendors, such as Philips and BD, Hillrom has a responsible disclosure program that actively asks industry stakeholders to quickly notify the vendor of discovered vulnerabilities with supportive documentation.
These types of disclosures are critical to addressing longstanding and well-documented medical devices security challenges.
The latest disclosures is an authentication bypass using an alternate path or channel vulnerability, ranked 8.1 in severity by CISA. An attacker could remotely exploit the vulnerability to take control over an affected system.
The flaw exists in the Welch Allyn Q-Stress and X-Scribe Cardiac Stress Testing Systems, Diagnostic Cardiology Suite, Vision Express, H-Scribe Holter Analysis System, R-Scribe Resting ECG System, and Connex Cardio.
When the affected devices are configured to use Single Sign-on, the tech is impacted by the improper authentication vulnerability that enables the application to accept manual entry of any active directory account provisioned by the application even without a password.
In doing so, an unauthorized user could gain access to the application and its associated privileges through the supplied AD account. It should be noted that the vulnerability has a high attack complexity, and there have been no public exploits specifically targeting the flaw.
Hillrom is currently working on a patch to mitigate the vulnerability and anticipates the patch will be provided with its next software release. But in the meantime, all public health and healthcare provider organizations are being encouraged to review the disclosure and apply the recommendations for mitigation.
The recommended workaround is to disable the SSO feature found in the Modality Manager Configuration settings, which is detailed in the service manual. However, the applications will then require user credentials upon startup, one the SSO is disabled.
Administrators should also ensure all devices are updated to the latest product versions and apply proper network and physical security controls. Authentication should be required for server access.
CISA added that administrators should review system controls and ensure the impacted products aren’t accessible from the internet and are isolated from the business network and behind firewalls.
As Jason Elrod, MultiCare Health System’s chief information security officer explained during the recent SCHealth eConference, securing devices involves shrinking down the perimeter as close to the device as possible to maintain device function and preventing unauthorized access.
Given that the patch from Hillrom to address this critical vulnerability is forthcoming, it’s important to ensure the impacted devices are properly segmented and segregated from the main network to protect the overall infrastructure.