This week, the US Cybersecurity and Infrastructure Security Agency issued an advisory about critical vulnerabilities in medical device software. The group of 13 new vulnerabilities affects Siemens’ Nucleus TCP/IP stack, according to a blog post from Forescout Research Labs. Remote code execution, denial of service, and information leak are all possible consequences of the issues. However, the team at Forescout, which discovered the flaws with the help of Medigate Labs, described it as “notoriously tough” to figure out where the code could be found.
“CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures,” the alert said. Despite this, they discovered 2,233 susceptible Nucleus devices in the healthcare industry, which Siemens acquired in 2017. Anesthesia equipment, patient monitors, and other “safety-critical” devices are among those affected, according to Forescout.
According to CISA, there are no publicly available exploits that directly target these flaws. All of them have been patched by Siemens. To address the issues, Forescout suggested a mitigation technique for network operators. Cisco, GE Healthcare, and Philips are among the significant device manufacturers who have issued statements in response to the findings. During the COVID-19 pandemic, medical device security has become more critical when remote patient monitoring and telehealth have enlarged hospitals’ network endpoints.