(Tech Xplore)—Siemens is preparing updates for affected products as a result of their identifying vulnerabilities in Siemens' medical molecular imaging products running on Windows 7.
Four affected products are (1) Siemens PET/CT Systems: All Windows 7-based versions (2) Siemens SPECT/CT Systems: All Windows 7-based versions (3) Siemens SPECT Systems: All Windows 7-based versions, and (4) Siemens SPECT Workplaces/Symbia.net: All Windows 7-based versions.
From the official website of the Department of Homeland Security came an advisory on August 3 from ICS-SCERT, which stands for Industrial Control Systems Cyber Emergency Response Team. It was titled "Siemens Molecular Imaging Vulnerabilities."
"Siemens has identified four vulnerabilities in Siemens' Molecular Imaging products running on Windows 7," said the advisory in its Overview section.
The advisory in the Overview said these vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are known to be publicly available.
Under the Impact section, it said that "Successful exploitation of these vulnerabilities may allow the attacker to remotely execute arbitrary code."
They stated "Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment and specific clinical usage."
Meanwhile, a Siemens security advisory dated July 26, "Microsoft Web Server and HP Client Automation Vulnerabilities in Molecular Imaging Products from Siemens Healthineers" stated, "Select Molecular Imaging products from Siemens Healthineers are affected by select Microsoft Windows 7 and HP Client Automation vulnerabilities." Siemens was working on updates for affected products, their advisory said, and they recommended specific countermeasures until fixes were available.
Sean Gallagher, Ars Technica's IT Editor, is a former Navy officer, systems administrator, and network systems integrator who was one of the tech watchers commenting on the news.
Gallagher observed that systems like the scanners were at risk from cryptoransomware and other malware attacks that spread laterally on networks, "because medical systems often share the same network as administrative systems. In such a setup, a click on an e-mail attachment or unpatched legacy Web server software could trigger a breach that could effectively shut hospitals down."
Georgina Prodhan in Reuters on Monday said that "Initially, the Munich-based company advised hospital and other medical customers to disconnect the scanners until a update was released. But the company spokesman said on Monday that after further review, it no longer believed disconnecting the scanners was necessary."
According to the report from Reuters, "Based on the existing controls of the devices and use conditions, we believe the vulnerabilities do not result in any elevated patient risk," Siemens said. "To date, there have been no reports of exploitation of the identified vulnerabilities on any system installation worldwide."
(The advisory under the "Difficulty" section said that "An attacker with a low skill would be able to exploit these vulnerabilities.")
Prodhan further quoted a UK-based computer security analyst. Graham Cluley said, "It does seem that these vulnerabilities can be exploited remotely and rather trivially." Cluley said hospitals in general were badly protected against hacking, "partly because of underfunding and partly because some older medical machines are not compatible with the latest versions of software operating systems."
Reuters reported on Monday, however, that a Siemens spokesperson said no evidence of any attack had been found.