Federal authorities warn of security flaws in Cardio products

Endpoint Security, Healthcare, Industry Specific

Vulnerabilities contained in some Hillrom Medical electrocardiographs

Marianne Kolbasuk McGee (HealthInfoSec) •
June 23, 2022

Cardiac monitors manufactured by Hillrom Medical and used by medical practices around the world contain a vulnerability that allows hackers to gain unauthorized access by exploiting the devices’ short-range Wi-Fi connection.

See also: Cat by the fire | Zero tolerance: control the landscape where you will meet your opponents

The same line of electrocardiographs also contains hard-coded passwords, a coding flaw that hackers appreciate but cybersecurity experts abhor.

Hillrom is releasing a patch after coordinating the disclosure with the US Cybersecurity and Infrastructure Security Agency, which issued an alert last week. Baxter International acquired Hillrom last December.

There are no known exploits targeting the vulnerabilities, allowing attackers to compromise the software security of devices by executing commands, gaining privileges, accessing sensitive information and evading detection, CISA warns.

However, they reiterate the importance of addressing safety throughout the life cycle of the device, including at the start of the design phase.

“We are going to have to change the way we approach the problem of cybersecurity, in all sectors,” says former healthcare CIO David Finn, vice president of education and networking associations at the College of Healthcare. Information Management Executives.

“Dealing with holes, gaps, vulnerabilities after they’ve loosened up in the wild is not the best time to start fixing them,” he says.

Alert Details

Hillrom Medical products containing the vulnerabilities include:

  • Welch Allyn ELI 380 resting electrocardiograph, versions 2.6.0 and earlier;
  • Welch Allyn ELI 280/BUR280/MLBUR 280 resting electrocardiograph, versions 2.3.1 and earlier;
  • Welch Allyn ELI 250c/BUR 250c resting electrocardiograph, versions 2.1.2 and earlier;
  • Welch Allyn ELI 150c/BUR 150c/MLBUR 150c resting electrocardiograph, versions 2.2.0 and earlier.

CISA says the vulnerabilities were reported to the company by an anonymous user.

The Wi-Fi vulnerability exists thanks to the portability of devices. Hillrom marketing boasts that its electrocardiographs are “decoupled from the patients, so you can move freely around the exam room with no wiring to get in your way.”

Affected devices leave open by default several common network gateways used by hackers to break into systems, including FTP, SSH, and Telnet.

The decision to use hard-coded passwords was made by the programmers to facilitate inbound authentication and outbound communication to external components. Hard-coded – i.e., unchangeable – passwords are a persistent problem in the networked device industry (see: Feds Warn of 7 Flaws Affecting Medical Devices and IoT Equipment).

“New releases of these products will mitigate these vulnerabilities. Baxter will continue to work closely with customers to answer any questions they have regarding the safety and security of Welch Allyn ELI resting electrocardiograph devices,” the company said in a statement.

Hillrom Medical – whose cardio machines are the subject of a recent CISA notice – was acquired by Baxter International last year.

Several other Hillrom cardio products were the subject of a separate federal security vulnerability advisory last December (see: CISA: authentication failure in some Hillrom Cardio products).

Raising the bar

For its part, the Food and Drug Administration’s latest draft guidance for premarket cybersecurity of medical devices contains a long list of proposals aimed at improving the security practices of medical device manufacturers throughout the product life cycle. (see : FDA document details cyber expectations of device makers).

This includes device manufacturers establishing a plan early on to identify and communicate product vulnerabilities.

These plans should be part of a manufacturer’s premarket product submissions so that the FDA can assess whether the company has sufficiently addressed how to maintain device safety and effectiveness after marketing clearance is granted. on the market, says the agency.

Congress is also looking at ways to strengthen the cybersecurity of medical devices. Several recent bills with medical device cybersecurity proposals are making their way through Congress.

These include the bipartisan Medical Device Cybersecurity Enhancement Act, which would require the FDA to review and update pre-market medical device cybersecurity guidance every two years. The bill is sponsored by Sens. Jacky Rosen, D-Nev., and Todd Young, R-Ind. (see: Bill calls for frequent updates to FDA device cybersecurity guidelines).

Comments are closed.