Federal Authorities Warn of Cardio Product Security FlawsVulnerabilities Contained in Certain Hillrom Medical Electrocardiographs
Heart monitors built by Hillrom Medical and used by medical practices across the globe contain a vulnerability that allows hackers to gain unauthorized access by exploiting the devices' short-range Wi-Fi connection.
The same line of electrocardiographs also contains hard-coded passwords, a coding flaw that hackers relish but cybersecurity experts abhor.
Hillrom is releasing a patch after coordinating disclosure with the U.S. Cybersecurity and Infrastructure Security Agency, which issued an alert last week. Baxter International acquired Hillrom last December.
No known exploits target the vulnerabilities, which allow attackers to compromise the devices' software security by executing commands, gaining privileges, accessing sensitive information and evading detection, CISA warns.
They're nonetheless reminders of the importance of addressing security throughout the device life cycle, including in the early design phase.
"We are going to have to change the way we think about addressing the problem of cybersecurity, in all sectors," says former healthcare CIO David Finn, vice president of the education and networking associations within the College of Healthcare Information Management Executives.
"Addressing holes, gaps, vulnerabilities after they are loose in the wild is not the best time to start fixing them," he says.
Hillrom Medical products containing the vulnerabilities include:
- Welch Allyn ELI 380 Resting Electrocardiograph, versions 2.6.0 and prior;
- Welch Allyn ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph, versions 2.3.1 and prior;
- Welch Allyn ELI 250c/BUR 250c Resting Electrocardiograph, versions 2.1.2 and prior;
- Welch Allyn ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph, versions 2.2.0 and prior.
CISA says the vulnerabilities were reported to the company by an anonymous user.
The Wi-Fi-enabled vulnerability exists thanks to the devices' portability. Hillrom marketing boasts its electrocardiographs are "untethered from patients, so you can move freely throughout the exam room without cabling to get in the way."
The affected devices by default left open several common networking gateways used by hackers to penetrate systems, including FTP, SSH and Telnet.
The decision to use hard-coded passwords was made by programmers to ease inbound authentication and outbound communication to external components. Hard-coded - meaning unchangeable - passwords are a persistent problem in the networked appliance industry (see: Feds Warn of 7 Flaws Affecting Medical Devices, IoT Gear).
"New versions of these products will mitigate these vulnerabilities. Baxter will continue to work closely with customers to address any questions they have around the safety and security of Welch Allyn ELI Resting Electrocardiograph devices," the company says in a statement.
Several other Hillrom cardio products were the subject of a separate federal security vulnerability advisory last December (see: CISA: Authentication Flaw in Certain Hillrom Cardio Products).
Raising the Bar
For its part, the Food and Drug Administration's latest draft guidance for premarket medical device cybersecurity contains a long list of proposals to improve security practices of medical device makers throughout the products' life cycle (see: FDA Document Details Cyber Expectations for Device Makers).
That includes device makers establishing a plan early on for identifying and communicating product vulnerabilities.
These plans should be part of a manufacturer's premarket product submissions so that the FDA can assess whether the company has sufficiently addressed how to maintain the safety and effectiveness of the device after marketing authorization is granted, the agency says.
Congress is also seeking ways to bolster medical device cybersecurity. Several recent bills containing medical device cybersecurity proposals are making their way through Congress.
They include the bipartisan Strengthening Cybersecurity for Medical Devices Act, which would require the FDA to review and update premarket medical device cybersecurity guidance every two years. The bill is sponsored by Sens. Jacky Rosen, D-Nev., and Todd Young, R-Ind. (see: Bill Calls for Frequent FDA Device Cyber Guidance Updates).