The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued a warning about vulnerabilities in Siemens CT and PET scanner systems. Healthcare organizations have been put on alert and warned that there are publicly available exploits for all four of the vulnerabilities.
If exploited, hackers would be able to alter the functioning of the devices, potentially placing patient safety at risk. Data stored on the systems would be accessible, malware could be downloaded, and the devices could be used to attack the networks to which the devices connect. The vulnerabilities can be exploited remotely with no user interaction required.
The vulnerabilities are not in Siemens systems, but the platform on which the systems run – Windows 7. The vulnerabilities have existed for the past two years and affect the following Siemens PET/CT systems:
- Siemens CT Systems
- Siemens PET Systems
- Siemens SPECT/CT systems
- Siemens SPECT Systems
- Siemens SPECT Workplaces/Symbia.net
There are two code injection vulnerabilities, one improper restriction of operations within the bounds of a memory buffer, and one vulnerability relating to permissions, privileges, and access controls. All four vulnerabilities have been given a CVSS v3 score of 9.8 out of 10.
Siemens has yet to issue patches to correct the vulnerabilities although they are currently being developed. In the meantime, it is important for healthcare organizations to take steps to secure the devices, the most important of which is to disconnect the devices from the network and run them in standalone mode, provided this does not jeopardize patient safety/treatment.
The devices should remain disconnected from the network until the patches for the vulnerabilities have been released. Those patches will be pushed out by Siemens and will be applied automatically. Healthcare organizations should consult with their local service center to find out when the patches are available so they know when to reconnect their devices to have the patches installed.
ICS-CERT also recommends locating the devices behind firewalls and isolating them from other parts of the network. Healthcare organizations that need to access the devices remotely should do so using a VPN, although VPNs may pose a security risk. ICS-CERT recommends updating VPNs to the latest version prior to using them to connect to the devices.