The Cybersecurity & Infrastructure Security Agency (CISA) recently released a statement in which they warned of vulnerabilities in Philips MRI 1.5T: Version 5.x.x. and MRI 3T: Version 5.x.x. These medical device security risks have the potential to allow unauthorized access to patient information, and the potential to modify system configurations.
What Vulnerabilities Were Uncovered?
There were three medical device security vulnerabilities uncovered in the Philips MRI machines including improper access controls, incorrect ownership assignment, and the potential to expose information to individuals that are not explicitly authorized to access the information.
- Improper access controls: this vulnerability fails to restrict, or incorrectly restricts access. This makes it difficult for the software to confirm a user’s identity, allow authorized access to a resource, and track data access.
- Incorrect ownership assignment: this vulnerability assigns a resource to an unauthorized owner, potentially allowing a threat actor to read and modify data.
- Potential to expose information: this vulnerability can lead to the exposure of protected health information.
According to CISA, CVE data for these vulnerabilities are currently under review and Philips plans to release an upgrade by October 2022. In the meantime, CISA recommends that, “Users should operate all Philips deployed and supported products within Philips authorized specifications, including physical and logical controls. Only allowed personnel are permitted in the vicinity of the product.”
How to Limit Medical Device Security Risks
Many of HIPAA requirements can help you to improve your overall security, including limiting medical device security risks. HIPAA requires healthcare organization’s to adhere to the minimum necessary standard. This standard dictates that access to PHI should be limited to only what is necessary for an employee to complete their job functions.
Well, how does this relate to medical device security? Under the minimum necessary standard healthcare organizations must limit access to PHI through user authentication and access controls. While in the case of the Philips MRI machines user authentication and access controls are malfunctioning, the likelihood of incidental PHI exposure can be reduced by limiting which employees have credentials to access the machines. It is also recommended that employees who have physical access to the machines should be limited.
Organizations that are HIPAA compliant are less likely to have an issue with this in the first place as they would have policies and procedures in place to ensure adherence to the minimum necessary standard. Part of these policies and procedures would dictate administrative, technical, and physical safeguards that are required to be in place to limit MRI machine access to only authorized personnel.
The FDA also released guidance to improve medical device security, “Medical devices are increasingly connected to the Internet, hospital networks, and other medical devices to provide features that improve health care and increase the ability of health care providers to treat patients. These same features also increase potential cybersecurity risks. Medical devices, like other computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device. Threats and vulnerabilities cannot be eliminated and reducing cybersecurity risks is especially challenging. The health care environment is complex, and manufacturers, hospitals, and facilities must work together to manage cybersecurity risks.”
