13 new security breaches in medical devices

Vulnerabilities recently found in software used by medical equipment could lead to failures in hospital control systems. The warning came from researchers at Forescout Research Labs who identified problems in the Nucleus TCP/IP stack, which handles the basic communication in networks and is widely used, for example, in anesthesia machines, ventilators, patient monitors, and other healthcare devices.

Nucleus TCP/IP is part of the Nucleus Real-time Operating System (RTOS). Both were originally developed by Accelerated Technology, Inc. (ATI) in 1993, then acquired by Mentor Graphics in 2002 finally by Siemens in 2017. They are used in various industries with demanding safety requirements, such as medical, automotive, and industrial.  

According to Forescout, Siemens has already released fixes for all 13 vulnerabilities found. About half of them have already been fixed, but CVE IDs (Common Vulnerabilities and Exposures) were never issued. According to the Siemens website, the Nucleus system is deployed in three billion devices.

A video showing two possible attacks on Forescout’s labs can be seen here.

While connected medical devices are currently the focus of much cybersecurity discussion, Forescout warns that other categories of IoT (Internet of Things) and OT (Operational Technology) devices used in hospitals can also be affected by these vulnerabilities in the Nucleus TCP/IP stack. For example, building automation equipment is used in hospitals for functions such as access control, fire alarm, lighting, heating, and ventilation. Although these are not functions directly associated with patients, they are essential to healthcare. 

Forescout’s recommendation for protecting against these vulnerabilities in the Nucleus TCP/IP stack, dubbed NUCLEUS:13, is to install patches on affected devices offered by Siemens and equipment vendors. Forescout has released an open-source script that helps identify devices using the Nucleus system, which is constantly being updated with new signatures.

However, for embedded devices, the process of installing patches is not always easy. In these situations, the way out is to adopt risk mitigation strategies, such as those that use segmentation controls, restrict communication routes to the outside world, and isolate vulnerable devices until they can be patched. Another recommended course of action is to monitor network traffic for malicious packets attempting to exploit vulnerabilities.

Health at risk

The healthcare sector is one of the top targets for cybercriminals. However, a cyberattack in this segment puts more than computer systems at risk – it puts vulnerable health care individuals and, ultimately, lives at risk.

According to the CyberPeace Institute, which analyzed data relating to more than 235 cyberattacks against the healthcare sector in 25 countries over a 12-month period, some 9.6 million records were stolen, including social security numbers, medical records, HIV test results, and private details of medical donors. In 89% of cases, the systems went offline. Healthcare ransomware attacks occurred at a rate of four incidents per week in the first half of 2021.

And that’s just the tip of the iceberg, as there is a significant lack of public reporting and data available in many regions. And this is an important sticking point in healthcare cybersecurity. It is unacceptable that information about cyberattacks comes only from the compilation of data that the ransomware operators themselves, i.e. the criminals themselves, release in many cases. In the institute’s view, to be able to take effective action against cybercrime in the healthcare sector, it is necessary to encourage transparent reporting that helps improve the understanding of threats and the ability to take appropriate action to mitigate them.