Philips has yet to patch a flaw that allows cybercriminals to inject ransomware or backdoors which can result in PHI at risk of compromise.
The Philips ISCV version 2.x and earlier and Xcelera 4.x and 3.x the servers contain 20 Windows services of which the executables are being present in a folder where authenticated users have write permissions. The services run as a local admin account or local system account, and if a user were to replace one of the executables with a different program, that program too would be executed with local admin or local system permissions.
Philips confirms these vulnerabilities affect their IntelliSpace Cardiovascular system version 2.3.1, 3.1 and earlier. Also impacted are version 4.x and 3.x Xcelera systems (PDF). In ISCV version 3.x and earlier and Xcelera 4.x and 3.x there are 16 Windows services flaws allow hackers to run the computer with local admin rights.
Mitigation to address this mitigation comes from NIST Special Publication 1800-8: Securing Wireless Infusion Pumps in Healthcare Delivery Organizations across the following sections:
As technology has evolved, cybersecurity risk has expanded, both in visibility and in the number of threats and vulnerabilities. This expansion has led to a heightened concern, from manufacturers and the FDA, and work has been established to identify measures to better respond to cybersecurity risk [7], [9], [25]. In Section 5.1, we describe the wireless infusion pump ecosystem by defining the components. Section 5.2 discusses the data flow, and Section 5.3 explains the set of controls that we use in our example implementation, including those for networks, pumps, pump servers, and enterprise. Section 5.4 describes the target architecture for our example implementation.
Page 36
5.3.2.2 Hardening
Wireless infusion pumps and their servers are considered computing endpoints, when it comes to hardening the software contained within these devices. Medical devices may contain third-party products, including proprietary or commercial embedded operating systems, network communication modules, runtime environments, web services, or databases. Because these products can contain vulnerabilities, medical devices may also inherit these vulnerabilities just by using the products [2], [3], [7], [9], [25]. Therefore, it is important to identify all software applications used on medical devices, implement securing and hardening procedures recommended by the manufacturers, and apply timely patches and updates to guard against any newly discovered threats.
Page 52
6.3 Maintenance
Another aspect of configuration management that HDOs will want to pursue is patching. Patching, known colloquially as bug fixing, does not require a full replacement of software and is generally performed on pump servers. The patch frequency to which manufacturers generally adhere is monthly for patches and yearly for updates. This observation on timing comes from industry, not NIST—and is considered standard practice, rather than advice:
In addition to identifying patch frequency, organizations must be aware of likely vulnerabilities and the risks that they introduce into the enterprise, and then decide whether a patch should be applied. NIST SP 800-40, Guide to Enterprise Patch Management Technologies [56], discusses the importance of patch management, as well as the challenges.
Page 61
This is further addressed and documented in NIST Special Publication 800-40 Revision 3 Guide to Enterprise Patch Management Technologies.
Vulnerabilities may be present in infusion pumps and their server components, as these devices often include embedded operating systems on the endpoints. Infusion pumps are designed to maintain a prolonged period of useful life, and, as such, may include system components (e.g., an embedded operating system) that may reach either their end of life, or a period of degraded updates prior to the infusion pump being retired from service. Patching and updating may become difficult over the course of time.
Page 15
Further documentation:
SERIOUS VULNERABILITIES IN PHILIPS MEDICAL DEVICES
Medical Devices Certification – ISO 13485:2003
https://www.isc-global.net/medical-devices/