HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Advisory Issued Over Vulnerabilities in BeaconMedaes TotalAlert Scroll Medical Air Systems Web Application

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued an advisory about remotely exploitable vulnerabilities in the BeaconMedaes TotalAlert Scroll Medical Air Systems web application.

The vulnerabilities are present in TotalAlert Scroll Medical Air Systems running software versions 4107600010.23 and earlier and require a low level of technical skill to exploit.

If successfully exploited, an attacker could view and potentially modify device information and web application setup information, although those modifications would not be sufficient to affect the ability of the device to operate as designed.

BeaconMedaes has stressed that the vulnerabilities cannot be exploited to gain access to patient health information and do not compromise compliance with the NFPA 99 standard for healthcare facilities.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

ICS-CERT says two of the vulnerabilities have a CVSS v3 score of 7.5 out of 10 (high) and one has a CVSS v3 score of 5.3 (medium).

The two vulnerabilities rated high are CWE-522 – Insufficiently protected credentials and CWE-256 – Unprotected Storage of Credentials. CWE-522 could be exploited by an attacker with network access to the integrated web server and could allow retrieval of default/user-defined credentials stored and transmitted in an insecure manner. CWE-256 concerns passwords presented in plaintext in a file that can be accessed without authentication.

CWE-284 – Improper access credentials – is rated medium. By accessing a specific URL on the web server, an attacker could access information in the application without authentication.

The vulnerabilities were reported to The National Cybersecurity and Communications Integration Center (NCCIC) by security researcher Maxim Rupp.

NCCIC recommends users take measures to minimize the risk of the flaws being exploited. These include:

  • Minimizing network exposure for all control system devices
  • Ensuring control system devices are not exposed to the Internet
  • Locating control system networks behind firewalls
  • Isolating control system networks from the business network
  • Using VPNs to connect when remote access is required and ensuring those VPNs are updated and the most current version is used.

BeaconMedaes has assessed the vulnerabilities and has taken steps to address the vulnerabilities. An update has now been released – version 4107600010.24 – that corrects the flaws, which should be implemented as soon as possible.

BeaconMedaes recommends affected users contact the company directly on 1-888-4MEDGAS (463-3427) to obtain the update.

NCCIC recommends that prior to updating software or implementing defensive measures, organizations should perform an impact analysis and risk assessment.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.