Posted by Haidee LeClair on August 23, 2018
It’s never good news to find out that both your personal and clinical information could be compromised by the software platform your healthcare provider is using.
But it’s at least somewhat better news to know that the company responsible for the vulnerable software has been transparent about it, notifying the appropriate government agencies so all users are warned and can take defensive measures.
Which is what Netherlands-based Philips did earlier this month after it discovered unpatched vulnerabilities in its IntelliSpace Cardiovascular (ISCV) line of medical data management products.
The company reported it to the NCCIC (National Cybersecurity and Communications Integration Center). That led to a notification last week from ICS-CERT (Industrial Control Systems Cyber Emergency Response Team), which is part of NCCIC and under the federal Department of Homeland Security (DHS).
That is the way so-called responsible disclosure is supposed to work.
The potential for exposure of the cardiac patient data is still serious. As Threatpost noted, an attacker with local access to the ISCV/Xcelera server could exploit the vulnerability to escalate privileges, “gain administrative access, and from there be able to open folders that contain executables where authenticated users have write permission.”
That would also be enough to give an attacker access to confidential patient information—both personal and clinical.
ICS-CERT said the ISCV’s “comprehensive cardiac image and information management software” is used to maintain patients’ cardiovascular clinical information, which includes cardiac imaging files. Philips, on its website, says its “Cardiology Timeline” provides a “panoramic chronological overview of your patients’ cardiovascular care continuum.”
Which is not a good thing if it gets in the hands of unauthorized people.
More bad news: The vulnerability takes a “low skill level” to exploit and has a 7.3 ranking on the Common Vulnerability Scoring System (CVSS), which is considered moderately severe. And Threatpost noted that since the ISCV can connect to other third-party applications that provide correlating information on “a system, patient, study and series level,” this could mean “potential data exposure could be much larger than what the ISCV itself is home to.”
There is some good—or at least mitigating—news beyond the fact that users have been warned of the problem. An attack can’t be executed remotely—it requires “local network access” and/or someone who already has user privileges. Also, ICS-CERT said, “No known public exploits specifically target these vulnerabilities.”
Beyond that, Larry Trowell, associate principal consultant at Synopsys, noted that Philips had also reported a second vulnerability—this one ICS-CERT identified as an “unquoted search path or element”—which was assigned a CVSS score of 4.2, or lower risk. And there is already a patch available for it.
“I’m not sure, but it looks like you need to attack via the unquoted path vulnerability first,” he said. “So in my mind, this goes down to the lower severity.”
He added that unquoted search paths only happen on Windows-based systems. “So even being Windows, it has account restrictions, so this should be a low attack surface,” he said.
That doesn’t make it trivial. While the fact that an attacker needs local network access is significant, “this just means that there needs to be a secondary attack vector to reach it,” Trowell said. “This could be as simple as an outdated router, which as you know are being targeted left and right to form botnets now.”
But he said neither patients nor healthcare organizations using ISCV products should panic. “This falls into a trusted local access problem,” he said. “It could be a risk for a targeted attack, or a target of opportunity, but in most cases it is relatively safe as there are easier things for script kiddies to attack.”
Philips said a fix for the privilege escalation problem, which affects ISCV v3.1 or earlier and Xcelera v4.1 or earlier, would be available in October, with ISCV v3.2.
This, however, is not the first problem noted with ISCV products this year. HIPAA Journal noted several of them in a post last week:
Philips is not alone, of course. The security of healthcare data and devices was the focus of several presentations at the recent Black Hat conference in Las Vegas, where the message was that things are improving but there is still a long way to go.
For customers using vulnerable ISCV products, Philips recommended that they review their file permission policies and, where possible, restrict available permissions.
And NCCIC recommended what probably ought to be standard for any healthcare organization, since it amounts to basic security hygiene:
Get the latest Software Integrity news, thought leadership, and more.