A vulnerability has been identified in Change Healthcare Cardiology, McKesson Cardiology, and Horizon Cardiology devices.
The vulnerability could be exploited by a locally authenticated user to insert files that could allow the attacker to execute arbitrary code on a vulnerable device.
The vulnerability – CVE-2019-18630 – was identified by Alfonso Powers and Bradley Shubin of Asante Information Security who reported the vulnerability to Change Healthcare. Change Healthcare notified the National Cybersecurity & Communications Integration Center (NCCIC) and a security advisory has now been issued by US-CERT.
The vulnerability has been assigned a CVSS v3 base score of 7.8 out of 10 and is the result of incorrect default permissions in the default installation. While the vulnerability only requires a low level of skill to exploit, an attacker would first need local system access which will limit the potential for the flaw to be exploited.
Change Healthcare has issued an advisory for users of the following cardiology devices:
- Horizon Cardiology 11.x and earlier
- Horizon Cardiology 12.x
- McKesson Cardiology 13.x
- McKesson Cardiology 14. x
- Change Healthcare Cardiology 14.1.x
Change Healthcare has developed a patch to correct the vulnerability. All users of the above-affected products have been advised to contact their Change Healthcare Support representative to arrange for the patch to be installed.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency recommends the following mitigations to reduce the potential for the vulnerability to be exploited until such time as the patch can be applied:
- Minimize network exposure for control system devices and/or systems.
- Locate medical devices behind firewalls
- Isolate medical devices as far as is possible
- Implement safeguards that restrict access to medical devices to authorized personnel
- Apply the principle of least privilege to access controls.
- Apply defense-in-depth strategies
- Disable unnecessary accounts, protocols, and services.
Prior to implementing any mitigations, healthcare providers should conduct an impact risk analysis and risk assessment.
29% of Small Businesses Spend Less Than $1,000 on IT Security Annually and Why They Are The Most Targeted
29% of Small Businesses Spend Less Than $1,000 on IT Security Annually and Why They Are The Most TargetedThe digital and network footprint of small businesses is continually growing. Online commerce, social media, remote workers, and cloud-based IT infrastructure are...
What Other Companies Can Learn from Facebook’s $5 Billion Fine and Why Privacy MattersWhile Facebook’s $5 billion settlement stands as the largest fine in the history of the Federal Trade Commission (FTC), one must take into consideration that not every company is...
Massive Ransomware Attack in Texas Hits 22 Cities and Towns, Hackers Demand Millions in PaymentAn individual threat actor is believed to be behind a recent attack that has locked up the agencies of nearly two dozen small cities and towns in Texas. 22 Texas...
Stay Up to Date With The Latest News & Updates
Join Our Newsletter
Get weekly tech updates and immediate alerts when there is a zero-day or security issue!