Cynerio, a cybersecurity solutions provider specializing in helping healthcare organizations identity and prevent cyberattacks, today commented on a new ICS-CERT advisory of vulnerabilities found in BD Pyxis products, a medication and supply management system. ICS-CERT is the US government agency in charge of the cybersecurity posture of critical infrastructure in the US.
Leon Lerman, CEO at Cynerio:
“BD, a medical device manufacturer, has warned that some of its products might be vulnerable to an industry-wide set of WiFi vulnerabilities known as KRACK. These vulnerabilities expose WiFi communications to a man in the middle (MiTM) by an attacker in physical proximity – for access points using WPA and WPA2 – the standard security protocols for WiFi.
The BD devices that might be affected are from the domains of anesthesia and smart-pharmacology, and while these vulnerabilities are generic and can affect products from different industries including everyday desktops, it’s obvious that when it comes to medical devices the stakes are much higher and a MiTM attack that might disrupt or spoof communications is untolerable.
As hospitals become increasingly connected their network-security professionals should keep track of different attack surfaces in their network bounds, which today include, internet communicating machines, internal ethernet networks and lately also wifi connected medical devices, and as attackers only need one opening to get in, defenders should deploy solutions that facilitate full control over the whole network. BD has implemented 3rd party patches for affected devices and healthcare providers should work in coordination with them to make sure latest security patches are deployed.”
Cynerio has published an “explainer” including advice for healthcare organizations following another recent ICS-CERT advisory, this one detailing a series of 23 vulnerabilities in popular GE medical devices. In the post, Cynerio offers the following:
What should hospitals do?
- Healthcare facilities’ network administrators should work in coordination with their medical-devices vendors to make sure they have the latest security patches installed
- Default credentials should be changed to more secure site-credentials while making sure device functionality and interoperability are not hindered
- Security professionals in healthcare should put in place controls that will enable full visibility of the medical entities on the network, making it possible to understand their behavior and trace and mitigate anomalies and vulnerabilities in real-time, you cannot defend what you cannot see
- By understanding the actual deployment of medical devices, and devices containing personal patient information, security professionals can apply defense-in-depth principles, leaving medical entities unexposed to the internet – and only allow internet communications to medical devices through secure VPM tunnels and according to necessity