Software Vulnerability Identified in Change Healthcare Cardiology Devices
Cybersecurity researchers have identified a flaw in Change Healthcare Cardiology, McKesson Cardiology, and Horizon Cardiology devices.
Locally authenticated users could exploit the flaw to insert files that could allow the attacker to execute arbitrary code on a vulnerable device.
Alfonso Powers and Bradley Shubin of Asante Information Security identified the flaw (CVE-2019-18630) and reported the vulnerability to Change Healthcare. Change Healthcare notified the National Cybersecurity & Communications Integration Center (NCCIC) and a security advisory has now been issued by US-CERT.
The vulnerability has been assigned a CVSS v3 base score of 7.8 out of 10 and is the result of incorrect default permissions in the default installation. While the vulnerability only requires a low level of skill to exploit, an attacker would first need local system access which will limit the potential for the flaw to be exploited.
Change Healthcare has issued an advisory for users of the following cardiology devices:
- Horizon Cardiology 11.x and earlier
- Horizon Cardiology 12.x
- McKesson Cardiology 13.x
- McKesson Cardiology 14. x
- Change Healthcare Cardiology 14.1.x
Change Healthcare has developed a patch to correct the vulnerability. They advise all users of the affected products to contact their Change Healthcare Support representative at the first instance to arrange for the patch to be installed.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency recommends the following mitigations to reduce the potential for the vulnerability to be exploited until such time as the patch can be applied:
- Minimize network exposure for control system devices and/or systems.
- Locate medical devices behind firewalls
- Isolate medical devices as far as is possible
- Implement safeguards that restrict access to medical devices to authorized personnel
- Apply the principle of least privilege to access controls.
- Apply defense-in-depth strategies
- Disable unnecessary accounts, protocols and services.
Prior to implementing any mitigations, healthcare providers should conduct an impact risk analysis and risk assessment.
A full report on the flaw can be seen on the US-CERT website: https://www.us-cert.gov/ics/advisories/icsma-19-241-01