Philips ultrasound system is easily hackable; now criminals can modify your ultrasound scans

The US Department of Homeland Security (NHS) has launched an information security alert related to some medical solutions developed by the tech companies Philips and McKesson, technology sold by Change Healthcare.

The alert is related to a critical vulnerability in a cardiovascular analysis system that allows cardiologists to collect data from multiple sources for each patient, allowing all medical personnel to easily access this information. The flaw has received a score of 7.8/10 on the Common Vulnerability Scoring System (CVSS) scale, making it a serious security issues.

According to information security experts, exploiting this vulnerability could allow hackers to execute arbitrary code, compromising the analysis systems used by cardiologists, hackers could even access the information stored in these systems or even alter the results of an ultrasound or cardiovascular analysis.

Several generations of cardiology computer systems sold by McKesson and Change Healthcare could be affected by the vulnerability. Companies are working to quickly address the vulnerability, while experts advise users to review their firewall settings in detail, as well as disabling accounts that are not critical to the hospital operations.  

Moreover, DHS released a second security alert regarding a flaw in Philips HDI 4000 ultrasound systems, running the Windows 2000 operating system and older ones. If exploited, this flaw would allow hackers with a presence on local sub networks to access the images generated by these systems.

One of the main causes of this inconvenience is that Philips stopped releasing support for these devices almost six years ago, so the vulnerability will not be corrected. Instead, users of these systems are advised to invest in upgrading their ultrasoud equipment, to work with an operating system that is still being maintained. In case it is not possible to purchase new equipment, information security experts recommend that hospitals restrict access to these systems as much as possible, eliminating unused accounts and updating access credentials.

This is the third information security alert related to Philips medical systems this year; previously, the flaws were related to the company´s Tasy Electronic Medical Record System. On the other hand, this is the second time Change Healthcare is notified on security errors in its products.

Although not the most common targets, information security specialists from the International Institute of Cyber Security (IICS) say that the tendency to look for weaknesses in the technological infrastructure of hospitals for malicious purposes has increased recently. A couple of weeks ago, news of the ransomware attack against a hospital group based in France raised; as a result of the attack, systems of a clinic for more than a hundred patients were completely shut down, so administrative staff and medical professionals had to improvise to keep operations at a relatively normal level.