Siemens medical scanner on Windows 7 vulnerable; patch coming soon

German Firm Siemens will Update PET Scanner Software as DHS Issues Security Threat to Machines.

Cyber-attacks on medical equipment are intensifying every passing day. The latest to join the list of unsecured medical equipment is the Positron Emission Tomography scanners or PET scanners manufactured by the Munich based company Siemens.

These scanners require Microsoft Windows 7 to run and their purpose is to reveal the functioning of tissues and organs. This is done with the help of a radioactive drug that traces the activities of these tissues/organs. PET scanners are used to diagnose cancerous cells, brain diseases, and cardiac disorders.

Reportedly, Siemens has identified (Pdf) security flaws in these scanners, and it is believed that cybercriminals can remotely exploit the device. The company initially informed its customers including hospitals to immediately disconnect the scanners and wait for an update, which is due to be released soon. However, further review revealed that disconnecting the scanners was not necessary because patients were not at risk.

“To date, there have been no reports of exploitation of the identified vulnerabilities on any system installation worldwide,” said a spokesperson of Siemens.

Siemens used the Common Vulnerability Scoring System (CVSS), which is an open industry standard risk assessment system and concluded that the vulnerability’s security severity ranking was 9.8/10.

It is worth noting that imaging machines like the PET scanners don’t have to be directly connected to the internet to function. Instead, these require being connected to the clinical IT system. If the system is infected, then the machine will also receive the impact of infection.

Graham Cluley, an independent computer security analyst, states that the problem is quite serious because the vulnerabilities in medical equipment can be exploited remotely. He further claimed that hospitals were poorly protected against hacking probably because of two reasons: underfunding and old equipment that is not compatible with advanced operating systems.

The German industrial firm Siemens is, therefore, likely to issue software update by the end of this month to fix the vulnerability that would lead to hacking of PET scanners.

The US Department of Homeland Security notified companies about the possibility of a hack attack on medical equipment running on Windows 7 by a “low skill” hacker. The warning notice released last week read:

“An attacker with a low skill would be able to exploit these vulnerabilities.”

The attacker supposedly will use vulnerabilities existing in older versions of MS Windows.

According to Siemens’ spokesperson, as of now, there is no evidence of an attack on its devices. Still, the company’s decision to fix the flaw through a patch is evidence of the increasing focus on thwarting cyber-attacks on medical equipment.