Skip to main content
close search
site logo
Dive Brief

Siemens software vulnerabilities potentially put millions of medical devices at risk

Published Nov. 11, 2021
By
Contributor
cyberattack, privacy, connection
Stock Photo via Getty Images

Dive Brief:

  • The U.S. Cybersecurity and Infrastructure Security Agency has issued an alert about critical vulnerabilities in Siemens software that could potentially impact millions of medical devices from multiple manufacturers.
  • The cyber agency, following the lead of the researchers who identified the weaknesses, scored one of the vulnerabilities 9.8 on a 10-point risk scale, reflecting the potential for hackers to disrupt the operation of critical medical devices such as anesthesia machines and bedside monitors. To date, there are no known attacks that have specifically targeted the vulnerabilities.
  • CISA's alert states that Siemens has released updates for several of the affected products and the company is advising users of unpatched devices to take countermeasures but "has not identified any additional specific workarounds or mitigations." A Siemens Healthineers spokesperson in an emailed statement said the company is aware of the vulnerabilities and is investigating to identify if any of its products are affected. 

Dive Insight:

Forescout Research Labs, with support from Medigate Labs, first identified the weaknesses. The researchers discovered a set of 13 vulnerabilities that affect Siemens' software, which is often used in computers embedded in larger systems such as medical devices. The vulnerabilities, which range from a moderate 5.3 to a critical 9.8 on the risk scale, could cause denial of service, information leaks or the execution of remote code.

Anesthesia machines, ventilators and patient monitors are among the medical devices possibly impacted. Forescout researchers used various techniques to estimate the number of devices affected by the vulnerabilities, known collectively as Nucleus:13, and discovered evidence of the use of the software in Zoll defibrillators, Zonare ultrasound devices, a GE Healthcare anesthesia machine and a Nihon Kohden bedside monitor.

GE has already evaluated the impact of Nucleus:13 on its devices, completing assessments of the "limited number" of subcomponents that use the software. "The product teams have evaluated the security design and mitigating controls. Given these design controls and mitigations in place GE Healthcare has determined these products are not impacted by these vulnerabilities," GE wrote.

A Siemens Healthineers spokesperson said the company continues to "monitor the issue as it develops and might notify customers, if it is necessary, through Siemens Healthineers teamplay Fleet customer online portal."

FDA wants all manufacturers to assess their exposure to these vulnerabilities in the Siemens software that was originally released in 1993.

"It is important for medical device manufacturers to have a mechanism to quickly ascertain if their devices are affected," Kevin Fu, acting director of medical device cybersecurity at the FDA's Center for Devices and Radiological Health, told CNN, the first outlet to report the news.

An assessment performed by Forescout identified more than 2,200 healthcare devices vulnerable to the cybersecurity weaknesses. The number of affected devices is more than twice that in any other industry. Across all industries, the researchers identified "close to 5,500 devices from 16 vendors in 127 customers."

CISA is advising users to take defensive measures to cut the risk of the vulnerabilities being exploited and to update vulnerable devices once updates are available.

Nick Yuran, CEO of security consultancy Harbor Labs, said none of his clients use the affected version of the Nucleus stack but sees it as yet "another wake-up call" for the medtech industry about the hidden risks in older legacy medical devices.

"We often find these same classes of vulnerability being repeated across different software platforms of the same era. Based on the age of Nucleus, some of the affected devices could have been in clinical use with these vulnerabilities for more than 20 years," Yuran said.

The three most severe vulnerabilities described in Nucleus:13 all allow the attacker to launch a denial-of-service attack or perform remote code execution, Yuran warned, which are all "potential security outcomes that have historically led regulators to intervene with a strong hand."

The good news is that most of the classes of medical devices affected by the vulnerabilities are "commonly either not networked, or are shielded and isolated on their own network segments," Yuran added.

Greg Slabodkin contributed reporting.

Editors' picks

Company Announcements

View all | Post a press release
Arsenal Medical Launches EMBO-02 Study for NeoCast™ to Assess Treatment of Chronic Subdural He…
From Arsenal Medical
November 14, 2024
Echosens Launches its Liver Health Management (LHM) Platform Globally, Streamlining Liver Care
From Echosens
November 04, 2024
Osteal Therapeutics Announces Positive 12-Month Results from the APEX Clinical Trial Program a…
From Osteal Therapeutics
November 14, 2024
Powerful Medical Becomes the First Company to Win Best Science Startup and Overall Winner at A…
From Powerful Medical
November 21, 2024
Editors' picks
Latest in Medical Devices
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell