August 30, 2019 - A hacker with low skill level could gain control of connected cardiology devices made by Change Healthcare, warned an ICS-CERT advisory.
“Insecure file permissions in the default installation may allow an attacker with local system access to execute unauthorized arbitrary code,” the advisory explained .
The vulnerability affects the following Change Healthcare cardiology devices: Horizon Cardiology 11.x and earlier, Horizon Cardiology 12.x, McKesson Cardiology 13.x, McKesson Cardiology 14.x, and Change Healthcare Cardiology 14.1.x.
Dig Deeper
DICOM Standard Flaw Could Compromise Medical Device Security
Medical Device Security Begins with Health IT Infrastructure
In 2017, Change Healthcare merged with McKesson and its Horizon brand of medical devices.
Alfonso Powers and Bradley Shubin of Asante Information Security reported the vulnerability.
Change Healthcare recommended that users of the vulnerable devices contact the company to arrange for installation of a security patch.
In addition, the Cybersecurity and Infrastructure Security Agency (CISA) recommended users take the following measures to minimize the risk of exploitation of this vulnerability:
Minimize network exposure for all control system devices and/or systems
Locate medical devices behind firewalls and isolate them where possible
Restrict system access to authorized personnel only and follow a least privilege approach
Apply defense-in-depth strategies
Disable any unnecessary accounts, protocols, and services
CISA also advised organizations to perform an impact analysis and risk assessment prior to instituting defensive measures.
In May, the Food and Drug Administration (FDA) issued a recall of Change Healthcare’s Horizon Cardiology Hemo monitoring systems for buggy software.
The FDA said that because of software problems, “users are not notified of procedure medication discrepancies between the Vitals and Meds, the Procedure Notes and Patient Common Data screens in Horizon/McKesson Cardiology Hemo. The discrepancy may also affect administered medication data in reports generated from Hemo or the Horizon/McKesson Cardiology Physician’s Report as well as customers, who have implemented an outbound interface of procedure results.”
Change Healthcare notified customers that the issue can occur under the following circumstances: When a user intentionally updates the Physician Report, overriding procedure medication derived from the Hemo report; when a user intentionally updates the medication information charted for Pre- or Intra- procedure stage from the Intra- or Post-procedure stage (respectively); or due to an unexpected system error.
Change Healthcare has issued a software update to fix the problem.