Thirteen vulnerabilities have been identified in medical devices made by a range of vendors in the healthcare industry, according to a Nov. 9 CNN report.
Five things to know:
- Cybersecurity firm Forescout Technologies discovered 13 vulnerabilities that affect different versions of Nucleus Real-Time Operating System, a suite of software developed by Siemens and used by other vendors, according to the report.
- The vulnerabilities affect patient monitors, ultrasound devices, anesthesia devices and X-ray machines. Forescout researchers said there are thousands of active healthcare devices running with these flaws in their software.
- The researchers tested the 13 software vulnerabilities in a lab, CNN reported. In one example, they sent malicious commands to a building automation system deployed in hospitals. Researchers were able to take the mock hospital offline, turn off its lights and cut off its HVAC system, according to the report. To deploy these commands, the device would need to be connected to the internet or the hacker would need to be on the hospital's network.
- Siemens worked with cybersecurity firms and federal officials to verify vulnerabilities and address them through software updates. The Cybersecurity and Infrastructure Security Agency issued notice Nov. 9 advising device users to update their devices, according to the report.
- Matt Hartman, CISA deputy executive assistant director for cybersecurity, told CNN that once the vulnerabilities were uncovered, the agency "began working with our partners across all potentially affected critical infrastructure sectors, including in the healthcare sector, to inform potentially at-risk vendors of this vulnerability and provide guidance on remediating it."