Manipulating Medical Devices

The Federal Office for Information Security (BSI) aims to sensitize manufacturers and the public regarding security risks of networked medical devices in Germany. In response to the often fatal security reports and press releases of networked medical devices, the BSI initiated the project Manipulation of Medical Devices (ManiMed) in 2019. In this project, a security analysis of selected products is carried out through security assessments followed by Coordinated Vulnerability Diclosure (CVD) processes. The project report was published on December 31, 2020, and can be accessed on the BSI website [1].

Scope

This blog post focuses on the security assessment of the VC150 patient monitor by the Finnish manufacturer Innokas Yhtymä Oy. The VC150 vital signs monitor provides a small, portable monitoring alternative for sub-acute hospital and non-hospital settings. The monitor is used for adult, pediatric, or neonatal patients.

In the scope of the assessment was the device’s networking functionality, which included protocols such as HL7 v2.x and its administrative web interface and the UI presented on the device’s touchscreen. A lab with an HL7 v2.x messaging engine was set up for testing the interface.

Results

The VC150’s administrative web interface is vulnerable to a stored Cross-Site Scripting vulnerability (CVE-2020-27262). Further, the device can be shut down via keystroke injection. An attacker with one-time physical access to the USB ports can thus reboot the system and disrupt measurements performed by the patient monitor.

The device sends HL7 v2.x messages, such as observation results to HL7 v2.x capable electronic medical record (EMR) systems. A user with malicious intent can tamper with these messages by injecting HL7 v2.x segments into the HL7 v2.x messages with a connected barcode reader (CVE-2020-27260). Hence, attackers can tamper with data transmitted to further network-connected systems. This identified vulnerability is detailed in a blog post published in April 2020 [2]. An ICS Medical Advisory (ICSMA-21-007-01) was published on January 7, 2021 [3].

Impact

We will focus on the HL7 injection, as this is the most critical finding. Attackers cannot inject entire HL7 v2.x messages. Further, attackers cannot control the messages’ destinations. It must be noted that specific HL7 v2.x messages are specified to only contain a limited subset of all available HL7 v2.x message segments. Network-connected systems usually validate messages received from patient monitors. Therefore, attackers may only be able to inject these selected segments into a message. However, this enables attackers aware of HL7 v2.x message structures to inject arbitrary observation results, leading to misdiagnosis or medical errors. The manufacturer identified no patient harm, implemented fixes, and rolled out an update.

References

[1] Bundesamt für Sicherheit in der Informationstechnik (BSI). Veröffentlichungen. Online (accessed January 12, 2021): https://www.bsi.bund.de/DE/Themen/DigitaleGesellschaft/eHealth/Medizintechnik/Veroeffentlichungen/cybermed_node.html
[2] Julian Suleder. Medical Device Security: HL7v2 Injections in Patient Monitors. April 23, 2020. Online (accessed January 12, 2021): https://insinuator.net/2020/04/hl7v2-injections-in-patient-monitors/
[3] ICS Medical Advisory (ICSMA-21-007-01): Innokas Yhtymä Oy Vital Signs Monitor. January 7, 2021 Online (accessed January 12, 2021): https://us-cert.cisa.gov/ics/advisories/icsma-21-007-01